WHAT problem are we solving? A program is a machine that turns input into action. If an
attacker controls the input, they can steer the action. The entire field of application security
is a war over that boundary: the place where untrusted data meets trusted code.
WHY it matters: A single unvalidated field can leak your whole database (SQL injection), run
code in a victim's browser (XSS), or let a logged-out user delete an admin's data (broken access
control). The OWASP Top 10 is just the frequency-ranked list of how that boundary gets crossed.
HOW to do it right (three layers, in order of strength):
Allowlist validation (best): accept only what matches a known-good pattern.
WHY strongest? You enumerate the small set of good, not the infinite set of bad.
Contextual output encoding / escaping: when data must reach an interpreter, encode it for
that specific context (HTML body ≠ HTML attribute ≠ SQL ≠ shell).
Parameterized queries / prepared statements: separate code from data structurally so the
data can never become code.
WHY the order matters: You must authenticate before you authorize — you can't decide what
someone is allowed to do until you know who they are. (Anonymous/public access is just AuthZ with
the subject = "anonymous".)
Imagine your app is a clubhouse. Authentication is the secret handshake at the door that
proves you're really you. Authorization is the rule about which rooms your wristband colour
lets you enter. Input validation is the bouncer who checks that what people hand him is a
ticket and not a sneaky note that says "let everyone in for free." Most break-ins happen
because somebody let a sneaky note act like a real instruction, or let a green wristband into the
gold room. So: check the handshake, check the wristband for each room, and never trust the note.
A community-maintained, frequency/evidence-ranked list of the most critical web application security risks (awareness guidance, not a checklist).
Authentication vs Authorization in one line each?
AuthN = proving who you are (identity); AuthZ = deciding what you're allowed to do (permissions).
Which must happen first, AuthN or AuthZ, and why?
AuthN first — you can't decide what a subject may do until you know who the subject is.
Why is blocklisting input weak compared to allowlisting?
Blocklist must enumerate the infinite set of bad inputs (encodings, alternates bypass it); allowlist enumerates the small set of known-good and rejects everything else.
Why do parameterized queries stop SQL injection structurally?
The query template is parsed alone, fixing the parse tree; user input binds only to a leaf value and can never add a syntax node.
What is IDOR and which OWASP category?
Insecure Direct Object Reference — accessing another user's object by changing an ID; it's Broken Access Control (A01).
Why salt + slow-hash passwords?
Salt makes identical passwords hash uniquely (defeats rainbow tables); a tunable slow hash (bcrypt/argon2) makes brute force economically infeasible.
What single principle prevents most injection AND XSS?
Never let untrusted data be interpreted as code — validate input and encode output for its exact destination context.
Dekho, security ka pura khel ek hi line me samajh lo: kabhi bhi aise input par bharosa mat karo
jo tumne khud generate nahi kiya. Jab user ka data tumhare code ya database tak pahunchta hai,
wahi "boundary" sabse khatarnaak jagah hai. SQL injection, XSS — ye sab isi liye hote hain kyunki
program ne data ko code samajh liya. Isliye solution simple hai: allowlist validation karo
(sirf known-good shape accept karo), aur database ke liye hamesha parameterized query use karo
taaki user ka input kabhi SQL ka hissa na ban sake — driver query template ko alag, values ko alag
channel pe bhejta hai.
Ab Authentication vs Authorization — ye dono alag cheezein hain, kabhi confuse mat karna.
Authentication matlab "tum kaun ho" prove karna (password, OTP, passkey). Authorization matlab
"tum kya kar sakte ho" check karna. Airport socho: passport check = authentication, boarding
pass jo bolta hai seat 14C = authorization. Sirf passport hone se kisi bhi plane me nahi chadh
sakte. Bahut saare bade hacks (OWASP A01 — Broken Access Control) sirf isliye hote hain ki developer
ne socha "user logged in hai, matlab sab dikha do" — galat! Har request pe check karo ki ye user
is specific object ka owner hai ya nahi. Default hamesha deny rakho.
OWASP Top 10 yaad rakhne ke liye top-3 ka mnemonic: "Big Crooks Inject" = Broken access
control, Cryptographic failures, Injection. Passwords ko kabhi plaintext ya MD5 me store mat
karna — bcrypt/argon2 + salt use karo, taaki rainbow table aur brute-force dono fail ho jaayein.
Yeh chhoti chhoti aadatein hi 80% real-world breaches rok deti hain. Isliye exam aur job, dono ke
liye yeh subtopic gold hai.