web_security_owasp 30 Q&As

Web Security OWASP FAQ & Answers

30 expert Web Security OWASP answers researched from official documentation. Every answer cites authoritative sources you can verify.

unknown

30 questions

What are the OWASP Top 10 Web Application Security Risks for 2025?

A01 Broken Access Control (remains #1, 3.73% average detection rate across 40 CWEs), A02 Cryptographic Failures, A03 Software Supply Chain Failures (NEW - expands 2021's Vulnerable Components, covers dependencies, build systems, distribution), A04 Injection (includes SQL, NoSQL, OS command, XPath, ORM injection), A05 Insecure Design, A06 Security Misconfiguration, A07 Identification and Authentication Failures, A08 Software and Data Integrity Failures, A09 Security Logging and Monitoring Failures, A10 Mishandling of Exceptional Conditions (NEW - 24 CWEs for error handling, failing open, logical errors). OWASP Top 10:2025 RC1 released Nov 6, 2025, analyzing 2.8M+ applications across 589 CWEs (vs 400 in 2021). Final version expected 2026.

Sources

owasp.org owasp.org esecurityplanet.com

99% confidence

What is the primary SQL injection prevention method recommended by OWASP?

Prepared Statements (Parameterized Queries) are OWASP's primary defense against SQL injection (OWASP Top 10:2025 A03). Parameterized queries force the database to distinguish between code and data, ensuring attackers cannot change query intent. Implementation: Use placeholders for user input instead of string concatenation. Example: SELECT * FROM users WHERE id = ? with parameter binding, NOT 'SELECT * FROM users WHERE id = ' + userInput. Works across all major databases (PostgreSQL $1, MySQL ?, SQL Server @param). Benefits: Complete protection when properly implemented, automatic handling of special characters, no escaping needed. Framework support: All modern ORMs (TypeORM, Sequelize, Prisma) use parameterized queries by default. Defense-in-depth: Combine with principle of least privilege (minimize database permissions), input validation (allowlist for format), and automated security testing (SAST/DAST in CI/CD). OWASP A03:2021-2025 Injection remains critical threat.

Sources

cheatsheetseries.owasp.org owasp.org cheatsheetseries.owasp.org

99% confidence

What is Content Security Policy (CSP) and what does it protect against?

CSP is HTTP header providing allowlist-based control over resource loading to defend against Cross-Site Scripting (XSS) attacks. OWASP 2025 recommends Strict CSP using nonces or hashes. Nonce-based (server-rendered pages): Content-Security-Policy: script-src 'nonce-{RANDOM}' 'strict-dynamic'; object-src 'none'; base-uri 'none'. Hash-based (static pages, SPAs): Content-Security-Policy: script-src 'sha256-{HASH}' 'strict-dynamic'; object-src 'none'; base-uri 'none'. strict-dynamic allows nonce/hash-verified scripts to load additional scripts without explicit allowlisting. Critical: Use cryptographically secure random token for nonces (unique per HTTP response), never use unsafe-inline in production. Framework protections + output encoding + CSP provide defense-in-depth. DOMPurify recommended for HTML sanitization. CSP Level 3 supported in modern browsers (2025).

Sources

cheatsheetseries.owasp.org web.dev developer.mozilla.org

99% confidence

What are the recommended password hashing algorithms according to OWASP?

Argon2id is first choice (winner of 2015 Password Hashing Competition, gold standard for 2025 - OWASP recommends minimum 19 MiB memory, 2 iterations, 1 degree parallelism). scrypt as fallback when Argon2id unavailable (minimum CPU/memory cost 2^17, block size 8, parallelization 1). bcrypt only for legacy systems where Argon2/scrypt unavailable (work factor minimum 10, ideally 12+, password limit 72 bytes). PBKDF2 for FIPS-140 compliance requirements only (600,000+ iterations with HMAC-SHA-256). Never use MD5, SHA1, SHA-256, DES, or 3DES for passwords (broken/deprecated). Modern algorithms (Argon2id, bcrypt, PBKDF2) automatically salt passwords - no additional salting required. Security consensus 2025: Argon2 provides unparalleled protection against GPU/ASIC cracking, brute force, rainbow tables.

Sources

cheatsheetseries.owasp.org guptadeepak.com encryptionconsulting.com

99% confidence

What are the primary CSRF prevention methods recommended by OWASP?

Token-based defense (primary): Synchronizer Token Pattern (stateful server-side token - OWASP 2025 recommends for traditional web apps) or Encrypted/Hash-based Token Pattern (stateless). Cookie-to-Header Token Pattern for SPAs (server sets XSRF-TOKEN cookie, frontend sends as X-XSRF-TOKEN header). SameSite Cookie Attribute (defense-in-depth, NOT replacement for CSRF tokens): Lax (default in Chrome/Edge/Opera as of Dec 2024), Strict (strongest), None (requires Secure flag). Critical 2025 update: SameSite=Lax is now browser default BUT cannot protect against cross-origin same-site attacks (subdomain takeover, XSS on sibling domain). Best practice: Use CSRF tokens + SameSite=Lax/Strict for layered defense. For sensitive operations: add re-authentication, CAPTCHA. Custom request headers (X-Requested-With) provide additional validation.

Sources

cheatsheetseries.owasp.org owasp.org invicti.com

99% confidence

What is Cross-Site Scripting (XSS) and how can it be prevented?

XSS is injection attack where malicious scripts execute in victim's browser. Three types: Stored (persistent in database, highest impact), Reflected (in URL/request parameters), DOM-based (client-side JavaScript manipulation, never touches server). OWASP 2025 prevention hierarchy: (1) Framework Security - Use modern frameworks with auto-escaping (React JSX, Vue templates, Angular - avoid dangerouslySetInnerHTML/bypassSecurityTrustHtml without DOMPurify). (2) Output Encoding - Context-specific encoding critical (HTML entity encoding for HTML context, JavaScript encoding for