OWASP Top 10 — Demo Hub

Ten interactive modules. Click Insecure to trigger the flaw, or Secure to see the fix. Each button links to its own page so teams can dive deeper.

A01A02A03 A04A05A06 A07A08A09A10
A01:2021 — Broken Access Control
94% tested

Moves up from #5. Mapped to 34 CWEs with the most total occurrences. Common: IDORs, missing auth checks, forced browsing.

Insecure Secure
Scenarios: IDOR, vertical/horizontal privilege, function-level access control.
A02:2021 — Cryptographic Failures
was Sensitive Data Exposure

Refocused on crypto mistakes (not symptoms). Think: plaintext secrets, weak algorithms, no TLS/HSTS, missing key rotation.

Insecure Secure
Demos: plaintext vs password_hash(), TLS flags, secure cookie attrs.
A03:2021 — Injection (incl. XSS)
33 CWEs

Slides to #3; still everywhere. SQLi, command/LDAP injection, XSS variants. Show both payload & prepared statements / encoding.

Insecure Secure
Demos: login bypass, time-based SQLi, stored/reflected/DOM XSS.
A04:2021 — Insecure Design
new in 2021

Design flaws vs implementation bugs. Add threat modeling, secure patterns, reference architectures to “move left”.

Insecure Secure
Demos: weak password reset workflow, long-lived tokens, missing re-auth for sensitive actions.
A05:2021 — Security Misconfiguration
was #6

90% tested. Defaults, verbose errors, directory listing, exposed admin tools. XXE folded here.

Insecure Secure
Demos: phpinfo exposed, .env readable, debug on in prod.
A06:2021 — Vulnerable & Outdated Components
moved up from #9

Using components with known vulns. No direct CVE mapping in Top 10 scoring, but high real-world risk.

Insecure Secure
Demos: outdated JS lib exploit vs pinned version + SRI.
A07:2021 — Identification & Authentication Failures
was Broken Auth

Brute force, weak session mgmt, fixation. Frameworks help but configuration still matters.

Insecure Secure
Demos: no rate limit vs lockout/backoff; session rotation; cookie flags.
A08:2021 — Software & Data Integrity Failures
new in 2021

Assuming updates/data are trustworthy. CI/CD, unsigned files, insecure deserialization.

Insecure Secure
Demos: unserialize() gadget vs signed payloads & checks.
A09:2021 — Security Logging & Monitoring Failures
survey #3

Hard to test, but critical for visibility & forensics. Log auth, access denials, admin actions; alert on anomalies.

Insecure Secure
Demos: nothing logged vs structured logs + alert thresholds.
A10:2021 — Server-Side Request Forgery (SSRF)
community #1 pick

Low incidence, high impact. Attacker forces server to fetch internal resources (IMDS, localhost, private CIDRs).

Insecure Secure
Demos: open fetcher vs strict allowlist + private IP block + re-resolution.