Member-only story
Unveiling the OWASP Top 10 of 2021: A Comprehensive Guide to Web Application Security
Below are examples in PHP and Node.js for each item on the OWASP Top 10 list. Note that these examples illustrate vulnerable code as well as secure alternatives for each risk.
Broken Access Control
PHP:
- Vulnerable:
if ($_SESSION['user_role'] == 'admin') {
deleteUser($_GET['user_id']);
}- Secure:
if ($_SESSION['user_role'] == 'admin' && checkUserPermissions($user_id, 'delete_user')) {
deleteUser($_GET['user_id']);
}Node.js:
- Vulnerable:
if (req.session.userRole === 'admin') {
deleteUser(req.query.userId);
}- Secure:
if (req.session.userRole === 'admin' && checkUserPermissions(userId, 'delete_user')) {
deleteUser(req.query.userId);
}Cryptographic Failures
PHP:
- Vulnerable:
$hashed_password = md5($password);- Secure:
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
