Web Security and OWASP Top 10 Guide 2026: XSS, CSRF, Injection, CSP, CORS, HSTS, and Supply Chain Security

An injection attack where malicious scripts are injected into trusted websites. The script executes in the victim browser with the same origin, accessing cookies, session tokens, and DOM. Three types: reflected (URL parameters), stored (database), and DOM-based (client-side manipulation). Mitigations: output encoding (HTML entities), Content Security Policy, input validation, DOMPurify for HTML sanitization.

An attack that forces an authenticated user to submit unwanted requests. The attacker crafts a request (form submission, image tag) that the victim browser sends with valid session cookies. Mitigations: CSRF tokens (synchronizer token pattern), SameSite cookie attribute (Lax or Strict), checking Origin/Referer headers, requiring re-authentication for sensitive actions.

An injection attack where malicious SQL is inserted into application queries through user input. Can read, modify, or delete database data, bypass authentication, and execute OS commands. Mitigations: parameterized queries (prepared statements), ORM with parameter binding, input validation (allowlist), least privilege database accounts. Never concatenate user input into SQL strings.

An attack where the server is tricked into making HTTP requests to unintended destinations. The attacker supplies a URL that the server fetches, accessing internal services (metadata endpoints, admin panels, databases) that are not directly accessible. Mitigations: URL validation (allowlist), block internal IP ranges, disable redirects, network segmentation.

An HTTP response header that controls which resources the browser can load for a page. Defines allowed sources for scripts, styles, images, fonts, frames, and connections. Mitigates XSS by blocking inline scripts and unauthorized script sources. Directives: default-src, script-src, style-src, img-src, connect-src, frame-ancestors. Use nonces or hashes for inline scripts. Report violations with report-uri.

An HTTP header that forces browsers to use HTTPS for all future requests to the domain. Prevents SSL stripping attacks (downgrade from HTTPS to HTTP). Directives: max-age (duration in seconds), includeSubDomains (apply to all subdomains), preload (register in browser preload list). Recommended: max-age=63072000; includeSubDomains; preload.

A browser security mechanism that controls cross-origin HTTP requests. By default, browsers block requests from one origin to another (Same-Origin Policy). CORS headers (Access-Control-Allow-Origin, Access-Control-Allow-Methods) selectively relax this restriction. Preflight requests (OPTIONS) check permissions before the actual request. Never use Access-Control-Allow-Origin: * with credentials.

A fundamental browser security mechanism that restricts scripts from one origin from accessing resources from another origin. An origin is defined by protocol + hostname + port. Without SOP, any website could read data from your banking session. CORS, postMessage, and JSONP are controlled exceptions to SOP.

The Open Worldwide Application Security Project. A nonprofit organization that produces free security resources: OWASP Top 10 (most critical web application risks), ASVS (Application Security Verification Standard), Testing Guide, Cheat Sheet Series, and tools (ZAP, Dependency-Check). The standard reference for web application security.

Verifying the identity of a user or system. "Who are you?" Mechanisms: passwords + MFA, OAuth 2.0 / OIDC, API keys, certificates (mTLS), biometrics, passkeys (WebAuthn/FIDO2). Authentication must be followed by authorization. Common failures: weak passwords, no MFA, credential stuffing, session fixation.

Verifying what an authenticated user is permitted to do. "What can you do?" Models: RBAC (role-based), ABAC (attribute-based), ACL (access control lists), ReBAC (relationship-based). Always enforce on the server side, never trust client-side checks. Check authorization at every endpoint. Common failure: IDOR (Insecure Direct Object Reference).

A type of broken access control where an attacker accesses resources by modifying object identifiers (IDs) in requests. Example: changing /api/orders/123 to /api/orders/124 to access another user order. Mitigation: always verify that the authenticated user owns or has permission to access the requested resource. Use authorization checks, not just authentication.

Requiring two or more verification factors: something you know (password), something you have (phone, hardware key), something you are (biometrics). TOTP (time-based one-time passwords) via authenticator apps. FIDO2/WebAuthn hardware keys (YubiKey) are phishing-resistant. SMS-based MFA is weakest (SIM swapping). MFA prevents 99.9% of account compromise attacks.

A passwordless authentication standard using public-key cryptography. The private key stays on the user device (phone, laptop, hardware key). The server stores only the public key. Phishing-resistant (bound to origin), no shared secrets, biometric-protected. Supported by Apple, Google, Microsoft. Replaces passwords for consumer authentication.

A compact token format containing claims signed with HMAC or RSA/ECDSA. Three parts: header (algorithm), payload (claims), signature. Stateless: the server verifies the signature without a database lookup. Security concerns: cannot be revoked (use short expiry + refresh tokens), sensitive data should not be in the payload (base64-encoded, not encrypted), algorithm confusion attacks (always validate alg header).

An authorization framework for granting third-party applications limited access to user resources. Grant types: Authorization Code + PKCE (web/mobile apps), Client Credentials (service-to-service), Device Code (TVs, CLIs). Issues access tokens (short-lived) and refresh tokens (long-lived). OIDC (OpenID Connect) adds authentication (ID token) on top of OAuth 2.0.

A cryptographic protocol securing data in transit. TLS 1.3 (current) removed weak ciphers, reduced handshake latency (1-RTT, 0-RTT resumption), and mandates forward secrecy. TLS 1.2 is still acceptable; TLS 1.0/1.1 are deprecated. Certificate management: Let us Encrypt (free, automated), certificate pinning (mobile), and Certificate Transparency logs.

A password hashing function designed to be computationally expensive (slow). Uses a salt and configurable work factor (cost). Bcrypt at cost 12 takes ~250ms to hash. Alternatives: Argon2id (memory-hard, recommended by OWASP), scrypt (memory-hard). Never use MD5, SHA-1, or SHA-256 for password hashing (too fast, enables brute force).

The winner of the Password Hashing Competition (2015). Three variants: Argon2d (GPU-resistant), Argon2i (side-channel-resistant), Argon2id (hybrid, recommended). Memory-hard: requires significant RAM, making GPU/ASIC attacks expensive. Parameters: memory cost, time cost, parallelism. OWASP recommended settings: Argon2id, 19MB memory, 2 iterations, 1 parallelism.

A browser feature that verifies the integrity of resources loaded from CDNs. The script/link tag includes a hash of the expected content. If the CDN is compromised and serves modified code, the browser blocks it. Format: <script src="cdn/lib.js" integrity="sha384-abc123" crossorigin="anonymous">. Generate with openssl dgst -sha384 -binary file | openssl base64.

A browser behavior where the browser guesses the MIME type of a response by examining the content, ignoring the Content-Type header. Can be exploited to execute scripts from files served as images or text. Prevention: X-Content-Type-Options: nosniff header forces the browser to use the declared Content-Type.

An attack where a user is tricked into clicking something different from what they perceive. The attacker overlays a transparent iframe of the target site over a malicious page. The victim thinks they are clicking the malicious page but actually clicks the invisible target site (e.g., "Like" button, bank transfer). Prevention: X-Frame-Options: DENY or CSP frame-ancestors directive.

Limiting the number of requests a client can make in a time window. Protects against: brute force attacks (login attempts), DDoS, API abuse, credential stuffing. Algorithms: token bucket, sliding window, fixed window. Return HTTP 429 with Retry-After header. Apply per IP, per user, per endpoint, and globally.

An attack that overwhelms a service with traffic from many sources (botnet). Types: volumetric (bandwidth saturation), protocol (SYN flood, UDP flood), application layer (HTTP flood, slowloris). Mitigation: CDN/WAF (Cloudflare, AWS Shield), rate limiting, auto-scaling, geo-blocking, traffic analysis. Cannot be fully prevented but can be mitigated.

A firewall that filters, monitors, and blocks HTTP traffic to and from a web application. Rules detect: SQL injection, XSS, CSRF, bot traffic, known attack patterns. Deployment: cloud WAF (Cloudflare, AWS WAF), appliance (F5), or software (ModSecurity). WAF is a defense layer, not a replacement for secure coding.

Analyzing third-party dependencies for known vulnerabilities (CVEs), license issues, and outdated versions. Tools: Snyk, Dependabot, Renovate, npm audit, OWASP Dependency-Check. Run in CI/CD pipeline. Generate SBOM (Software Bill of Materials). Automate dependency updates with security patches.

Analyzing source code for security vulnerabilities without executing it. Detects: injection flaws, hardcoded secrets, insecure cryptography, taint tracking (user input flowing to dangerous sinks). Tools: SonarQube, Semgrep, CodeQL, Checkmarx. Runs in CI/CD pipeline. Complement with DAST for runtime vulnerabilities.

Testing a running application for vulnerabilities by sending crafted requests and analyzing responses. Detects: XSS, injection, misconfigurations, authentication flaws. Tools: OWASP ZAP, Burp Suite, Nikto. Runs against staging environment. Does not require source code access. Complement with SAST for code-level vulnerabilities.

Authorized simulated attack on a system to find security vulnerabilities. White box (full source access), gray box (partial access), black box (no access). Covers: web application, API, network, social engineering, and physical security. Results in a report with findings, severity, and remediation steps. Annual or before major releases.

A security model that does not trust any user or system by default, regardless of network location. Principles: verify explicitly (authenticate and authorize every request), least privilege access, assume breach (monitor, detect, respond). Implementation: identity-based access, micro-segmentation, mTLS, continuous verification, no implicit trust for internal network.

Securely storing, distributing, and rotating secrets (API keys, passwords, certificates, tokens). Never store secrets in code, environment variables (visible in process list), or config files committed to git. Use: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Doppler. Rotate secrets regularly. Audit access.

A system for monitoring and auditing SSL/TLS certificates. Certificate Authorities must log all issued certificates to public logs. Anyone can monitor logs for unauthorized certificates for their domain. Browsers require Certificate Transparency for all new certificates. Tools: crt.sh for searching certificate logs.

A comprehensive list of all components, libraries, and dependencies in software. Formats: SPDX, CycloneDX. Used for: vulnerability tracking, license compliance, supply chain security. Required by US Executive Order 14028 for government software. Generated by: Syft, Trivy, Docker Scout, Snyk.

An attack that targets the software supply chain rather than the application directly. Vectors: compromised npm/PyPI packages, hijacked GitHub Actions, malicious Docker images, compromised CI/CD pipelines, dependency confusion. Growing rapidly: 5,200+ incidents in 2026. Mitigations: lock files, SRI, SBOM, signature verification, vendor evaluation.

Cookie attributes that improve security: Secure (HTTPS only), HttpOnly (no JavaScript access, prevents XSS cookie theft), SameSite=Lax/Strict (prevents CSRF), Path (restrict cookie scope), Domain (restrict to specific domain), Max-Age/Expires (set expiration). Modern default: Secure; HttpOnly; SameSite=Lax.

An attack where the attacker sets a known session ID for the victim before authentication. After the victim logs in, the attacker uses the known session ID to hijack the session. Prevention: regenerate session ID after authentication (req.session.regenerate()), use secure session management, never accept session IDs from URL parameters.

Verifying that user input conforms to expected format, type, length, and range before processing. Allowlist (accept known good) is safer than blocklist (reject known bad). Server-side validation is required (client-side is easily bypassed). Use typed schemas: Zod, joi, JSON Schema. Validate: data type, length, range, format (regex), and encoding.

Converting potentially dangerous characters to safe representations before inserting data into HTML, JavaScript, CSS, or URLs. HTML: &lt; for <, &amp; for &. JavaScript: Unicode escaping. URL: percent-encoding. Context-specific encoding is essential: HTML encoding does not protect against XSS in JavaScript contexts. Use templating engines that auto-encode.

HTTP response headers that instruct browsers to enable security features. Critical: Content-Security-Policy (XSS prevention), Strict-Transport-Security (HTTPS enforcement), X-Content-Type-Options (MIME sniffing prevention), X-Frame-Options (clickjacking prevention). Medium: Permissions-Policy, Referrer-Policy, COOP, CORP. Test with securityheaders.com.

Gaining higher access privileges than intended. Vertical: regular user gains admin access. Horizontal: user A accesses user B data. Caused by: insecure direct object references (IDOR), missing authorization checks, role management flaws, default admin credentials. Prevention: enforce authorization at every endpoint, principle of least privilege.

Insecure Cross-Origin Resource Sharing configuration that allows unauthorized origins to access the API. Common mistakes: reflecting the Origin header as Access-Control-Allow-Origin (allows any origin), allowing null origin, using wildcards with credentials, overly permissive allowlists. Always validate against a strict allowlist of trusted origins.

Designing systems to easily swap cryptographic algorithms when vulnerabilities are discovered. Post-quantum cryptography will require replacing current algorithms. Design: abstract crypto behind interfaces, centralize algorithm selection, avoid hardcoding algorithms. NIST post-quantum standards: CRYSTALS-Kyber (key encapsulation), CRYSTALS-Dilithium (signatures).

A standard file (/.well-known/security.txt) that tells security researchers how to report vulnerabilities. Contains: contact information, encryption key (PGP), acknowledgment page, policy URL, preferred languages, expiration date. RFC 9116. Adopted by major organizations. Helps responsible disclosure.

A structured process for identifying security threats, vulnerabilities, and countermeasures. Frameworks: STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), PASTA (Process for Attack Simulation and Threat Analysis), Attack Trees. Performed during design phase. Inputs: architecture diagrams, data flows, trust boundaries. Output: prioritized list of threats with mitigations.

Injection attacks targeting NoSQL databases (MongoDB, CouchDB, DynamoDB). Attacker injects operators or queries through user input. MongoDB example: { "username": { "$gt": "" }, "password": { "$gt": "" } } bypasses authentication. Prevention: input validation, typed queries, ORM/ODM with parameter binding, disable JavaScript execution in MongoDB.

A JavaScript vulnerability where an attacker modifies Object.prototype, affecting all objects in the application. Via __proto__, constructor.prototype, or Object.assign with untrusted data. Can lead to: property injection, denial of service, RCE in server-side JS. Prevention: Object.create(null), input validation, Object.freeze(Object.prototype), schema validation.

Exploiting insecure deserialization of untrusted data. The application deserializes attacker-controlled data, which can: execute arbitrary code, manipulate application logic, or cause denial of service. Affected: Java (ObjectInputStream), PHP (unserialize), Python (pickle), .NET (BinaryFormatter). Prevention: avoid deserializing untrusted data, use safe formats (JSON), validate before deserializing.

A random value generated per request and included in both the CSP header and inline script tags. Only scripts with a matching nonce are executed. More flexible than hash-based CSP for dynamic inline scripts. Format: Content-Security-Policy: script-src nonce-{random}. Script tag: <script nonce="{random}">. Nonce must be unpredictable and unique per request.

Integrating security into every phase of software development. Phases: security requirements (design), threat modeling (design), secure coding standards (implementation), security testing (SAST, DAST, SCA), security review (pre-release), incident response (operations). Shift-left: find and fix vulnerabilities early when they are cheapest to fix. Microsoft SDL and OWASP SAMM are reference frameworks.

A program that rewards security researchers for finding and responsibly disclosing vulnerabilities. Platforms: HackerOne, Bugcrowd, Intigriti. Defines scope (in-scope targets, out-of-scope), reward tiers (based on severity), and rules of engagement. Supplements internal security testing. Major companies (Google, Microsoft, Apple) pay $10K-$250K+ for critical vulnerabilities.