4.5.23 · HinglishSoftware Engineering

Security — OWASP Top 10, input validation, authentication vs authorization

2,021 words9 min readRead in English

4.5.23 · Coding › Software Engineering


WHY this subtopic exists

WHAT problem hum solve kar rahe hain? Ek program ek aisi machine hai jo input ko action mein badalta hai. Agar attacker input control kare, toh woh action ko apni marzi se steer kar sakta hai. Application security ka poora field usi boundary par ek war hai: woh jagah jahan untrusted data, trusted code se milta hai.

WHY yeh matter karta hai: Ek akela unvalidated field tumhara poora database leak kar sakta hai (SQL injection), victim ke browser mein code run kar sakta hai (XSS), ya kisi logged-out user ko admin ka data delete karne de sakta hai (broken access control). OWASP Top 10 bas us boundary ko cross karne ke tarike ki frequency-ranked list hai.


The OWASP Top 10 (2021) — the 80/20 core

Woh 20% jo tumhe sach mein internalize karna chahiye (yeh ~80% real incidents cause karte hain):

# Category One-line essence
A01 Broken Access Control User kuch aisa karta hai jo use karne ki permission nahi honi chahiye (AuthZ failure)
A02 Cryptographic Failures Secrets clear text mein ya weak crypto ke saath send/store hote hain
A03 Injection Untrusted input ko code ki tarah interpret kiya jaata hai (SQL, OS, LDAP, XSS)
A05 Security Misconfiguration Default passwords, verbose errors, open buckets
A07 Identification & Auth Failures Weak login, no rate-limit, broken sessions (AuthN)

Input validation — the master defense

HOW sahi tarike se karo (teen layers, strength ke order mein):

  1. Allowlist validation (best): sirf wahi accept karo jo known-good pattern se match kare. WHY strongest? Tum good ke chhote set ko enumerate karte ho, na ki bad ke infinite set ko.
  2. Contextual output encoding / escaping: jab data kisi interpreter tak pahunchna hi ho, toh use usi specific context ke liye encode karo (HTML body ≠ HTML attribute ≠ SQL ≠ shell).
  3. Parameterized queries / prepared statements: code aur data ko structurally alag rakho taaki data kabhi code nahi ban sake.

Figure — Security — OWASP Top 10, input validation, authentication vs authorization

Authentication vs Authorization — inhe kabhi confuse mat karo

WHY order matter karta hai: Authorize karne se pehle authenticate karna zaroori hai — tum yeh decide nahi kar sakte ki kisi ko kya karne di permission hai jab tak tum jaano nahi ki woh kaun hai. (Anonymous/public access bas woh AuthZ hai jahan subject = "anonymous" hai.)


Worked examples


Recall Feynman: 12-saal ke bachche ko explain karo

Socho tumhara app ek clubhouse hai. Authentication darwaze par woh secret handshake hai jo prove karta hai ki tum sach mein tum hi ho. Authorization woh rule hai ki tumhari wristband ka colour tumhe kaun se rooms mein jaane deta hai. Input validation woh bouncer hai jo check karta hai ki log jo kuch use de rahe hain woh ek ticket hai, na ki koi chalaak chit jo kehti hai "sabko free mein andar aane do." Zyada tar break-ins isliye hote hain kyunki kisine chalaak chit ko real instruction ki tarah act karne diya, ya green wristband wale ko gold room mein jaane diya. Toh: handshake check karo, har room ke liye wristband check karo, aur chit par kabhi trust mat karo.


Flashcards

OWASP Top 10 kya hai?
Ek community-maintained, frequency/evidence-ranked list hai jo sabse critical web application security risks ki hai (awareness guidance, checklist nahi).
Authentication vs Authorization ek-ek line mein?
AuthN = prove karna ki tum kaun ho (identity); AuthZ = decide karna ki tumhe kya karne ki permission hai (permissions).
AuthN aur AuthZ mein se pehle kaun hona chahiye, aur kyun?
AuthN pehle — tum yeh decide nahi kar sakte ki subject kya kar sakta hai jab tak tum jaano nahi ki subject kaun hai.
Allowlisting ke comparison mein blocklisting input kyun weak hai?
Blocklist ko bad inputs ka infinite set enumerate karna padta hai (encodings, alternates use karke bypass ho jaata hai); allowlist known-good ka chhota set enumerate karta hai aur baaki sab reject karta hai.
Parameterized queries SQL injection ko structurally kyun rokti hain?
Query template akele parse hoti hai, parse tree fix ho jaata hai; user input sirf ek leaf value se bind hoti hai aur kabhi koi syntax node add nahi kar sakti.
IDOR kya hai aur kaun si OWASP category hai?
Insecure Direct Object Reference — ID change karke doosre user ke object tak access karna; yeh Broken Access Control (A01) hai.
Password mein salt + slow-hash kyun?
Salt identical passwords ko uniquely hash karta hai (rainbow tables defeat hoti hain); tunable slow hash (bcrypt/argon2) brute force ko economically infeasible bana deta hai.
Woh ek principle kaun sa hai jo zyatar injection AUR XSS ko rokta hai?
Kabhi untrusted data ko code ki tarah interpret mat hone do — input validate karo aur output ko uske exact destination context ke liye encode karo.
Top-3 OWASP risks ka mnemonic?
"Big Crooks Inject" = Broken access control, Cryptographic failures, Injection.

Connections

  • SQL Databases — parameterized queries / prepared statements
  • HTTP and Web Fundamentals — requests, cookies, headers
  • Cryptography Basics — hashing, salting, TLS
  • Sessions and Tokens (JWT, OAuth) — AuthN state kaise carry hoti hai
  • Principle of Least Privilege — good AuthZ ke peeche design rule
  • Threat Modeling — coding se pehle untrusted boundaries dhundhna

Concept Map

guards

splits into

splits into

ranks risks at

is failure of

is failure of

crosses

neutralizes

layer 1 strongest

layer 2

layer 3

separates code from data

Trust boundary: untrusted data meets trusted code

Security = never trust foreign input

Authentication - WHO you are

Authorization - WHAT you can do

OWASP Top 10 ranking

A03 Injection - data treated as code

A01 Broken Access Control

A07 Auth Failures

Input Validation - master defense

Allowlist validation

Contextual output encoding

Parameterized queries