OWASP Top 10 Testing Guide: Practical Testing for Every Category

The OWASP Top 10 is the most widely referenced security framework for web applications. Published in 2021, it represents a consensus view of the most critical web application security risks. This guide goes beyond awareness and provides concrete testing techniques for every category.

A01: Broken Access Control

Broken access control (BAC) moved to the #1 position in 2021, and for good reason — it's everywhere. Testing priorities:

Insecure Direct Object References (IDOR)

# Change ID in URL, body, or header
GET /api/invoices/1042  → change to /api/invoices/1043
POST /api/delete {"id": 1042}  → change to {"id": 1043}

# Try GUIDs if sequential IDs aren't present — test with your own account's GUID
# on another user's resource

Privilege Escalation

Use the Autorize Burp extension to replay every request with a lower-privileged session. Also test horizontal privilege escalation (user A accessing user B's data) separately from vertical (user accessing admin functions). The Privilege Escalation Generator produces test cases for common web privilege escalation patterns.

CORS Misconfiguration

# Test by adding Origin header with attacker domain
Origin: https://evil.com

# Vulnerable responses:
Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Credentials: true

# Also test with null origin
Origin: null

A02: Cryptographic Failures

Test for sensitive data in transit and at rest:

• Check for HTTP (non-HTTPS) endpoints — any HTTP redirect to HTTPS that passes sensitive data in the initial request
• Inspect cookies for the Secure and HttpOnly flags
• Test for weak cipher suites with nmap --script ssl-enum-ciphers or testssl.sh
• Search HTTP responses for PII, tokens, and secrets using the Secret Scanner
• Check for sensitive data in localStorage, sessionStorage, and URL parameters

A03: Injection

SQL Injection

Test every parameter that interacts with a database. Use single quote probes and monitor for error messages, behavior changes, or time delays. Automate with sqlmap:

sqlmap -u "https://example.com/search?q=test" --batch --level=3 --risk=2

Cross-Site Scripting (XSS)

Test all input points with basic probes and check reflection context. Automated scanning misses context-specific bypasses. See the XSS Cheat Sheet for payload variants per context.

Command Injection

# Test in fields that might interact with OS commands (ping, traceroute, DNS lookup features)
; id
| id
`id`
$(id)
; sleep 5
| sleep 5

A04: Insecure Design

This is a design-level category — vulnerabilities that can't be fixed with a patch because the fundamental design is flawed. Test for:

• Missing rate limiting on authentication, registration, and password reset endpoints
• Business logic flaws (negative quantities in shopping carts, coupon stacking, price manipulation)
• Insufficient workflow validation (skipping payment step in multi-step checkout)
• Predictable token generation for password resets or email verification

A05: Security Misconfiguration

Automated tools catch most of this category. Check for:

# Default credentials
admin:admin, admin:password, root:root

# Exposed admin interfaces
/admin, /phpmyadmin, /wp-admin, /.git, /actuator, /console

# Directory listing
# Verbose error messages leaking stack traces, version numbers

# Cloud storage misconfigurations
aws s3 ls s3://bucket-name --no-sign-request

The Recon Hub can enumerate common misconfiguration patterns across a target domain.

A06: Vulnerable and Outdated Components

Enumerate software versions and check against vulnerability databases:

# Identify versions from response headers, HTML comments, error pages
Server: Apache/2.2.31
X-Powered-By: PHP/7.1.0

# Check npm, pip, Maven dependencies in public repos
npm audit
pip-audit
mvn dependency-check:check

# Use Retire.js Burp extension for JavaScript library CVE detection

A07: Identification and Authentication Failures

• Test for username enumeration (different error messages for valid vs invalid usernames)
• Check for missing account lockout (brute force password)
• Test "remember me" tokens for predictability and proper expiry
• Test multi-factor authentication bypass (response manipulation, code reuse)
• Check for session fixation (does the session ID change after login?)
• Test JWT vulnerabilities — algorithm confusion, none algorithm, weak secrets

A08: Software and Data Integrity Failures

Includes deserialization attacks and insecure CI/CD pipelines:

• Test serialized objects in cookies, request bodies, and cache headers for deserialization gadget chains (ysoserial)
• Check for unsigned or weakly signed update mechanisms
• Test subresource integrity (SRI) — do external script tags use the integrity attribute?

A09: Security Logging and Monitoring Failures

You can't directly test the absence of logging from a black-box perspective, but you can infer it:

• Perform obvious attacks (multiple failed logins, SQLi probes) and check if you get blocked or receive any challenge — no response suggests no monitoring
• Note whether failed authentication attempts return consistent, non-verbose error messages
• In gray-box assessments, ask for log samples to verify security events are captured

A10: Server-Side Request Forgery (SSRF)

SSRF lets attackers make the server issue requests on their behalf — critical in cloud environments for metadata service access:

# Test any parameter that accepts a URL
url=http://169.254.169.254/latest/meta-data/
url=http://metadata.google.internal/
url=http://<burp-collaborator>.oastify.com/ssrf-test

# Common SSRF bypass techniques when http:// is blocked
http://2130706433/  (decimal IP for 127.0.0.1)
http://0x7f000001/  (hex IP for 127.0.0.1)
http://127.1/       (short form)
http://[email protected]/  (@ trick)
http://127.0.0.1#@evil.com/  (fragment trick)

Use the Network Recon Tool to identify SSRF-prone endpoints by scanning for URL parameters and webhook configurations in the target application. Score and document your findings using the CVSS Calculator to ensure consistent risk ratings across all OWASP categories.