hectoday
DocsCoursesChangelog GitHub
DocsCoursesChangelog GitHub

Access Required

Enter your access code to view courses.

Invalid code

← All courses Web Security Fundamentals with @hectoday/http

The Attacker's Mindset

  • Thinking Like an Attacker
  • Project Setup

Injection Attacks

  • SQL Injection
  • SQL Injection: Beyond the Basics
  • Command Injection
  • Header Injection

Cross-Site Scripting (XSS)

  • What Is XSS?
  • Output Encoding
  • Content Security Policy in Practice

Broken Access and Redirects

  • Insecure Direct Object References (IDOR)
  • Open Redirects
  • Server-Side Request Forgery (SSRF)

File and Data Handling

  • Path Traversal
  • Mass Assignment
  • Denial of Service via Input

Putting It All Together

  • Security Testing
  • The OWASP Top 10
  • Capstone: Hardened Notes API

The OWASP Top 10

What is OWASP?

The Open Worldwide Application Security Project (OWASP) is a nonprofit that publishes research, tools, and guidelines for web application security. Their most well-known publication is the OWASP Top 10: a list of the ten most critical web application security risks, updated every few years.

The Top 10 is the industry standard reference. Security auditors, compliance frameworks, and hiring managers all use it. Understanding it tells you where your app stands relative to the most common threats.

The OWASP Top 10 (2021 edition)

Here is how this course maps to each category:

A01: Broken Access Control

What it is: Users can act outside their intended permissions. Viewing other users’ data, modifying access controls, escalating privileges.

What we built: IDOR protection (ownership checks on every query), mass assignment prevention (explicit field picking), open redirect validation.

Status: Covered.

A02: Cryptographic Failures

What it is: Missing or weak encryption. Transmitting data in cleartext, using weak hashing algorithms, exposing sensitive data.

What we built: The auth course covered bcrypt for passwords, HttpOnly/Secure cookies, and HTTPS. The Securing Your API course covered SHA-256 for reset tokens.

Status: Partially covered (via other courses). This course did not focus on encryption directly.

A03: Injection

What it is: Untrusted data sent to an interpreter as part of a command or query. SQL, OS commands, LDAP, and XPath injection.

What we built: SQL injection prevention (parameterized queries), command injection prevention (avoiding exec, using execFile), header injection prevention (validating header values).

Status: Covered.

A04: Insecure Design

What it is: Fundamental design flaws that no amount of implementation fixes can address. Missing threat modeling, insecure business logic.

What we built: This is a design-level concern. Our approach (attacking our own code, then fixing it) is a form of threat modeling. But formal insecure design issues (like missing rate limiting by design) were covered in the Securing Your API course.

Status: Partially covered.

A05: Security Misconfiguration

What it is: Missing security headers, default credentials, unnecessary features enabled, verbose error messages.

What we built: Security headers (CSP, HSTS, nosniff, X-Frame-Options). The Securing Your API course covered structured logging and error handling.

Status: Partially covered.

A06: Vulnerable and Outdated Components

What it is: Using libraries with known vulnerabilities. Not updating dependencies.

What we built: Nothing directly. This is an operational concern: run npm audit regularly, update dependencies, monitor CVE databases.

Status: Not covered (mentioned in the Securing Your API course’s checklist).

A07: Identification and Authentication Failures

What it is: Weak authentication, broken session management, credential stuffing.

What we built: The entire auth course trilogy covers this. Bcrypt, sessions, JWTs, rate limiting, account lockout, timing attack prevention, refresh token rotation.

Status: Covered (in other courses).

A08: Software and Data Integrity Failures

What it is: Code and infrastructure that does not protect against integrity violations. Unsigned updates, insecure CI/CD pipelines, deserialization attacks.

What we built: Nothing directly. This is mostly about infrastructure and supply chain security.

Status: Not covered.

A09: Security Logging and Monitoring Failures

What it is: Not logging security events, not monitoring for attacks, not alerting on suspicious activity.

What we built: The Securing Your API course covered structured JSON logging for every security event.

Status: Covered (in the security course).

A10: Server-Side Request Forgery (SSRF)

What it is: The application fetches a URL from user input without validation.

What we built: URL validation with protocol checks, host blocklisting, and DNS resolution to detect private IPs.

Status: Covered.

What we did not cover

The OWASP Top 10 is a starting point, not a complete list. Areas not covered in this course include: deserialization attacks, XML external entity (XXE) injection, LDAP injection, server-side template injection (SSTI), and race conditions.

These are real vulnerabilities, but they are less common in the Node.js/TypeScript ecosystem (no XML parsing by default, no server-side templates in a JSON API, no LDAP in most apps).

Exercises

Exercise 1: Visit owasp.org/Top10 and read the full descriptions. Which categories do you feel most confident about? Which would you want to learn more about?

Exercise 2: For each vulnerability type in this course, identify which OWASP Top 10 category it falls under. Some map to multiple categories.

Which OWASP Top 10 category covers SQL injection, command injection, and XSS?
← Security Testing Capstone: Hardened Notes API →

© 2026 hectoday. All rights reserved.