A developer asks: what does OWASP A01 Broken Access Control mean in practice?
Broken Access Control (A01) is the top OWASP risk because it is ubiquitous. It covers IDOR (changing /users/123 to /users/124 to see another user's profile), privilege escalation (a regular user accessing admin endpoints), missing function-level access control, and CORS misconfiguration. The fix: enforce authorization server-side on every request, never trust client-supplied identifiers for access decisions. Always verify "does this authenticated user have permission for this specific resource?"
2 / 5
What is SQL injection and what is the correct prevention?
SQL injection: user input is concatenated into a SQL string, allowing the database to interpret it as SQL commands. Classic payload: ' OR '1'='1. Prevention: parameterized queries (the query structure is fixed, user input is a typed parameter). ORMs parameterize automatically but beware raw query escape hatches. Input validation is defense-in-depth, not the primary control. SQLi allows data exfiltration, destruction, and authentication bypass.
3 / 5
What is SSRF (Server-Side Request Forgery)?
SSRF: the server fetches a URL supplied by the attacker. In cloud environments (AWS, GCP, Azure), this exposes the instance metadata service at 169.254.169.254, leaking IAM credentials. Mitigation: validate and allowlist URLs, block private IP ranges after DNS resolution (rebinding attacks), enforce IMDSv2 (requires PUT token), and run fetch services in isolated network segments with no access to internal services.
4 / 5
What does XSS (Cross-Site Scripting) allow an attacker to do?
XSS: attacker-controlled script executes in the victim's browser under the application's domain, inheriting its cookies (if not HttpOnly), localStorage, and DOM access. Three types: stored (persisted in DB, widest impact), reflected (in URL, requires victim to click), DOM-based (client-side script writes untrusted data to DOM). Prevention: output encoding (HTML, JS, URL context), Content Security Policy, HttpOnly and Secure cookie flags.
5 / 5
In OWASP A06, what is a Software Bill of Materials (SBOM) used for?
SBOM: a formal inventory of all software components (libraries, frameworks, tools) and their versions. Formats: CycloneDX, SPDX. When Log4Shell (CVE-2021-44228) dropped, organizations with SBOMs identified affected systems in minutes; those without took days. Tools: Grype, Trivy, Snyk, OWASP Dependency-Check match SBOMs against the NVD (National Vulnerability Database). A06 also covers security in CI: sign artifacts, verify signatures at deploy time.