Security Antipatterns Overview

Security antipatterns are vulnerabilities that attackers can exploit. The OWASP Top 10 represents the most critical web application security risks.

Critical Warning

The example project intentionally contains all of these vulnerabilities for educational purposes. Never deploy such code in production.

OWASP Top 10 (2021)

A01: Broken Access Control

Users can act outside their intended permissions

A02: Cryptographic Failures

Weak encryption, plaintext passwords, hardcoded secrets

A03: Injection

SQL, Command, LDAP, and template injection attacks

A04: Insecure Design

Missing security controls in the design phase

A05: Security Misconfiguration

Default configs, unnecessary features, verbose errors

A06: Vulnerable Components

Using libraries with known vulnerabilities

A07: Authentication Failures

Weak auth, credential stuffing, session hijacking

A08: Data Integrity Failures

Untrusted deserialization, unsigned updates

A09: Logging Failures

Insufficient logging, sensitive data in logs

A10: SSRF

Server-side request forgery to internal systems

Project Security Vulnerabilities

The example project exposes dangerous endpoints:

Endpoint	Vulnerability	Risk
/exec?cmd=...	Command Injection	Critical
/sql?q=...	SQL Injection	Critical
/eval	Code Evaluation	Critical
/read?path=...	Path Traversal	High
/security/secrets	Secret Exposure	High
/backdoor	Authentication Bypass	Critical
/debug	Information Disclosure	Medium

Security Principles

Defense in Depth

Multiple layers of security controls:

┌─────────────────────────────────────────────┐
│              Input Validation               │
├─────────────────────────────────────────────┤
│               Authentication                │
├─────────────────────────────────────────────┤
│               Authorization                 │
├─────────────────────────────────────────────┤
│             Parameterized Queries           │
├─────────────────────────────────────────────┤
│               Output Encoding               │
├─────────────────────────────────────────────┤
│                 Encryption                  │
├─────────────────────────────────────────────┤
│            Logging & Monitoring             │
└─────────────────────────────────────────────┘

Principle of Least Privilege

• Users get minimum necessary permissions
• Services run with minimum necessary access
• Secrets have minimum necessary scope

Secure by Default

• All features disabled until explicitly enabled
• Strict input validation
• Deny by default access control

---

Quick Reference: Secure Coding

Vulnerability	Prevention
SQL Injection	Parameterized queries
XSS	Output encoding
Command Injection	Avoid shell execution
Path Traversal	Allowlist paths
Weak Crypto	bcrypt, argon2 for passwords
Secret Exposure	Environment variables
SSRF	URL allowlisting

Security Mindset

Assume all input is malicious. Validate everything. Trust nothing from the client.