owasp-top-10
Safeguard articles tagged "owasp-top-10" — guides, analysis, and best practices for software supply chain and application security.
71 articles
What is Insecure Deserialization
Insecure deserialization (CWE-502) lets attackers turn untrusted object data into remote code execution. Here's how the attack works and how to stop it.
What is Broken Access Control
Broken access control is OWASP's #1 web risk, found in 94% of apps tested. See how IDOR flaws breached First American, USPS, and Parler.
What is Insecure Direct Object Reference (IDOR)
IDOR lets attackers access other users data just by changing an ID in a URL or API call. Learn how it works, real breaches, and how to fix it.
What is LDAP Injection
LDAP injection lets attackers manipulate directory queries to bypass authentication or dump directory data. Here's how it works, real CVEs, and how to stop it.
What is Prototype Pollution
Prototype pollution lets attackers corrupt Object.prototype via unsafe merges, turning a data bug in lodash, jQuery, or minimist into RCE.
What is a Business Logic Vulnerability
Business logic vulnerabilities exploit correct code enforcing the wrong rules. Learn what they are, real breach examples, and how to detect them.
What is Broken Authentication
Broken authentication lets attackers assume another user's identity via credential stuffing, forged tokens, or auth-bypass CVEs like Fortinet's CVE-2022-40684.
What Are Cryptographic Failures
Cryptographic failures are OWASP's #2 Top 10 risk — weak, missing, or broken encryption. See real breaches, causes, and how to detect and fix them.
What Are Security Logging and Monitoring Failures
Equifax went undetected for 76 days, Marriott for four years. Here's what security logging and monitoring failures are, why they happen, and how to close the gap.
XXE (XML External Entity) attack
A precise breakdown of what an XXE attack is, how XML external entity injection works, a real-world exploit example, the billion laughs attack, and prevention techniques.
What is Input Validation
Input validation stops malicious data at the door. See the CVEs — Equifax, Log4Shell, MOVEit — that prove why skipping it, or doing it wrong, is so costly.
What is Output Encoding
Output encoding neutralizes untrusted data before it reaches a browser or database -- the last line of defense against XSS, and most teams still get it wrong.