OWASP Top 10 — What Actually Trips Senior Teams
Injection and broken auth are well-handled today. The categories that trip senior teams in 2025: broken access control, SSRF, software supply chain, and insecure deserialization.
Deep dive
The ones that still bite
- Broken access control (A01): object-level authorization (IDOR) is everywhere. Test every endpoint with a non-owning user.
- Cryptographic failures (A02): storing reversible "encryption" of passwords, not using TLS for internal traffic.
- SSRF (A10): any endpoint that fetches a URL on the user's behalf must allow-list destinations and block link-local / metadata IPs.
- Software supply chain (A06 / A08): signed images, SBOMs, dependency pinning, provenance (SLSA).
Defense in depth
WAF + input validation + parameterized queries + content security policy + RBAC. No single layer is enough.
Real-world example
From productionA "fetch URL preview" endpoint was used to read the EC2 instance metadata service (169.254.169.254), exfiltrating IAM credentials. Fix: allow-list of schemes (http/https only), DNS resolution check, block all link-local / private ranges, and run the fetcher in a namespace with no IAM role.
Interview questions
1 senior-levelQ1What's IDOR and how do you prevent it?▾
Insecure Direct Object Reference — exposing internal IDs without enforcing ownership. Prevention: every query must include the requesting user (WHERE owner_id = :user), and ideally use opaque/random IDs. Test with a non-owning user as part of your CI suite.
Common mistakes
Trusting the frontend to do authorization.
Allow-listing 'safe' image URLs without resolving the DNS — TOCTOU bypass.
Trade-offs
Strict CSP breaks a lot of third-party scripts; phase it in with report-only first.