4.5.23Software Engineering

Security — OWASP Top 10, input validation, authentication vs authorization

2,141 words10 min readdifficulty · medium

WHY this subtopic exists

WHAT problem are we solving? A program is a machine that turns input into action. If an attacker controls the input, they can steer the action. The entire field of application security is a war over that boundary: the place where untrusted data meets trusted code.

WHY it matters: A single unvalidated field can leak your whole database (SQL injection), run code in a victim's browser (XSS), or let a logged-out user delete an admin's data (broken access control). The OWASP Top 10 is just the frequency-ranked list of how that boundary gets crossed.


The OWASP Top 10 (2021) — the 80/20 core

The 20% you must truly internalize (these cause ~80% of real incidents):

# Category One-line essence
A01 Broken Access Control User does something they shouldn't be allowed to (AuthZ failure)
A02 Cryptographic Failures Secrets sent/stored in the clear or with weak crypto
A03 Injection Untrusted input is interpreted as code (SQL, OS, LDAP, XSS)
A05 Security Misconfiguration Default passwords, verbose errors, open buckets
A07 Identification & Auth Failures Weak login, no rate-limit, broken sessions (AuthN)

Input validation — the master defense

HOW to do it right (three layers, in order of strength):

  1. Allowlist validation (best): accept only what matches a known-good pattern. WHY strongest? You enumerate the small set of good, not the infinite set of bad.
  2. Contextual output encoding / escaping: when data must reach an interpreter, encode it for that specific context (HTML body ≠ HTML attribute ≠ SQL ≠ shell).
  3. Parameterized queries / prepared statements: separate code from data structurally so the data can never become code.

Figure — Security — OWASP Top 10, input validation, authentication vs authorization

Authentication vs Authorization — never confuse them

WHY the order matters: You must authenticate before you authorize — you can't decide what someone is allowed to do until you know who they are. (Anonymous/public access is just AuthZ with the subject = "anonymous".)


Worked examples


Recall Feynman: explain it to a 12-year-old

Imagine your app is a clubhouse. Authentication is the secret handshake at the door that proves you're really you. Authorization is the rule about which rooms your wristband colour lets you enter. Input validation is the bouncer who checks that what people hand him is a ticket and not a sneaky note that says "let everyone in for free." Most break-ins happen because somebody let a sneaky note act like a real instruction, or let a green wristband into the gold room. So: check the handshake, check the wristband for each room, and never trust the note.


Flashcards

What is the OWASP Top 10?
A community-maintained, frequency/evidence-ranked list of the most critical web application security risks (awareness guidance, not a checklist).
Authentication vs Authorization in one line each?
AuthN = proving who you are (identity); AuthZ = deciding what you're allowed to do (permissions).
Which must happen first, AuthN or AuthZ, and why?
AuthN first — you can't decide what a subject may do until you know who the subject is.
Why is blocklisting input weak compared to allowlisting?
Blocklist must enumerate the infinite set of bad inputs (encodings, alternates bypass it); allowlist enumerates the small set of known-good and rejects everything else.
Why do parameterized queries stop SQL injection structurally?
The query template is parsed alone, fixing the parse tree; user input binds only to a leaf value and can never add a syntax node.
What is IDOR and which OWASP category?
Insecure Direct Object Reference — accessing another user's object by changing an ID; it's Broken Access Control (A01).
Why salt + slow-hash passwords?
Salt makes identical passwords hash uniquely (defeats rainbow tables); a tunable slow hash (bcrypt/argon2) makes brute force economically infeasible.
What single principle prevents most injection AND XSS?
Never let untrusted data be interpreted as code — validate input and encode output for its exact destination context.
The mnemonic for top-3 OWASP risks?
"Big Crooks Inject" = Broken access control, Cryptographic failures, Injection.

Connections

  • SQL Databases — parameterized queries / prepared statements
  • HTTP and Web Fundamentals — requests, cookies, headers
  • Cryptography Basics — hashing, salting, TLS
  • Sessions and Tokens (JWT, OAuth) — how AuthN state is carried
  • Principle of Least Privilege — the design rule behind good AuthZ
  • Threat Modeling — finding the untrusted boundaries before coding

Concept Map

guards

splits into

splits into

ranks risks at

is failure of

is failure of

crosses

neutralizes

layer 1 strongest

layer 2

layer 3

separates code from data

Trust boundary: untrusted data meets trusted code

Security = never trust foreign input

Authentication - WHO you are

Authorization - WHAT you can do

OWASP Top 10 ranking

A03 Injection - data treated as code

A01 Broken Access Control

A07 Auth Failures

Input Validation - master defense

Allowlist validation

Contextual output encoding

Parameterized queries

Hinglish (regional understanding)

Intuition Hinglish mein samjho

Dekho, security ka pura khel ek hi line me samajh lo: kabhi bhi aise input par bharosa mat karo jo tumne khud generate nahi kiya. Jab user ka data tumhare code ya database tak pahunchta hai, wahi "boundary" sabse khatarnaak jagah hai. SQL injection, XSS — ye sab isi liye hote hain kyunki program ne data ko code samajh liya. Isliye solution simple hai: allowlist validation karo (sirf known-good shape accept karo), aur database ke liye hamesha parameterized query use karo taaki user ka input kabhi SQL ka hissa na ban sake — driver query template ko alag, values ko alag channel pe bhejta hai.

Ab Authentication vs Authorization — ye dono alag cheezein hain, kabhi confuse mat karna. Authentication matlab "tum kaun ho" prove karna (password, OTP, passkey). Authorization matlab "tum kya kar sakte ho" check karna. Airport socho: passport check = authentication, boarding pass jo bolta hai seat 14C = authorization. Sirf passport hone se kisi bhi plane me nahi chadh sakte. Bahut saare bade hacks (OWASP A01 — Broken Access Control) sirf isliye hote hain ki developer ne socha "user logged in hai, matlab sab dikha do" — galat! Har request pe check karo ki ye user is specific object ka owner hai ya nahi. Default hamesha deny rakho.

OWASP Top 10 yaad rakhne ke liye top-3 ka mnemonic: "Big Crooks Inject" = Broken access control, Cryptographic failures, Injection. Passwords ko kabhi plaintext ya MD5 me store mat karna — bcrypt/argon2 + salt use karo, taaki rainbow table aur brute-force dono fail ho jaayein. Yeh chhoti chhoti aadatein hi 80% real-world breaches rok deti hain. Isliye exam aur job, dono ke liye yeh subtopic gold hai.

Go deeper — visual, from zero

Test yourself — Software Engineering

Connections