Chapter 8: Web and Application Security

Web and Application Security. This is the chapter where we zoom in on the apps and websites you interact with every day—your UPI apps, banking portals, e-commerce sites, freelancing platforms, or even that local Airoli restaurant’s online ordering page. In January 2026, web apps are the #1 attack surface: most breaches start here (phishing → web vuln → initial access), and with India’s digital economy booming (100 crore+ internet users, UPI transactions in trillions), a single flaw can cost crores in fraud, data leaks, or downtime.

We’re going deep today, like a full classroom session with code snippets, real Indian examples, and why these matter under DPDP Act 2023 (rules fully enforced by late 2025—personal data must be encrypted, access controlled, breaches reported fast, or face heavy fines).

1. OWASP Top 10 (2021–2025 Updates)

OWASP Top 10 is the bible for web/app security—lists the most critical risks based on data (millions of apps tested) + community input. Updated roughly every 4 years.

• 2021 Version (still widely referenced):

  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Components
  7. Identification and Authentication Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures
  10. Server-Side Request Forgery (SSRF)

• 2025 Version (released late 2025 as Release Candidate/finalized early 2026): Major shifts! Focuses on root causes over symptoms, expands supply chain, adds error handling. Data from 175k+ CVEs, 248 CWEs mapped.

  OWASP Top 10:2025 (current as of Jan 2026):

  1. A01:2025 – Broken Access Control (still #1—every app tested had issues; 40 CWEs, includes SSRF now consolidated here).
  2. A02:2025 – Security Misconfiguration (jumped from #5 in 2021—3% of apps affected; defaults, debug enabled, open clouds).
  3. A03:2025 – Software Supply Chain Failures (new/expanded from Vulnerable Components—includes deps, build pipelines, distribution attacks; huge rise due to Log4j-style incidents).
  4. A04:2025 – Cryptographic Failures (dropped from #2—still critical but better awareness).
  5. A05:2025 – Injection (dropped from #3—still in 90%+ of old apps).
  6. A06:2025 – Insecure Design (slid from #4—threat modeling helping a bit). 7–10: Include A10:2025 – Mishandling of Exceptional Conditions (new category—error handling, failing open, logical bugs). Others like logging/alerting failures, integrity issues.

Key 2021 → 2025 changes:

• Supply chain exploded (#3).
• Misconfig surged (#2).
• SSRF merged into Broken Access Control.
• New: Exceptional Conditions (error mishandling).
• More CWEs per category (avg 25), capped at 40 for focus.

India 2026 reality: Fintech/UPI apps hit hard by Broken Access + Supply Chain (third-party payment gateways). DPDP pushes fixing these to avoid fines.

2. SQL Injection, XSS, CSRF, Insecure Deserialization

These are classic injection-style flaws (still in Top 5/10).

• SQL Injection (part of Injection category) Attacker injects malicious SQL via input fields. Example (India banking app): Login form: SELECT * FROM users WHERE username=’$input’ AND password=’$pass’ Attacker enters: admin’ — → bypasses password → logs in as admin. Fix: Prepared statements/parameterized queries (e.g., PDO in PHP, PreparedStatement in Java), input validation, ORM (Hibernate, Django ORM).
• XSS (Cross-Site Scripting) — Inject script into page viewed by others. Types: Reflected (URL param), Stored (DB → page), DOM-based. Example: Comment box on e-commerce: <script>document.cookie=’stolen by attacker'</script> → steals session cookies. Fix: Output encoding (e.g., htmlspecialchars), Content Security Policy (CSP), sanitize inputs (DOMPurify).
• CSRF (Cross-Site Request Forgery) — Tricks logged-in user to perform action via malicious site. Example: User logged into bank → visits evil site with <img src=”bank.com/transfer?to=hacker&amount=50000″> → transfer happens using your session. Fix: CSRF tokens (sync token in form/header), SameSite cookies (Lax/Strict), check referer/origin.
• Insecure Deserialization — Untrusted data deserialized → code execution. Example: Java app uses ObjectInputStream on user-supplied data → gadget chains (ysoserial) → RCE. Fix: Avoid deserializing untrusted data, use safe formats (JSON with type checks), look-ahead deserializers (NotSoSerial).

Real 2026 example: Indian startup’s Node.js app had stored XSS in user profiles → attacker injected script → stole admin sessions → changed UPI keys.

3. API Security (REST, GraphQL, OAuth, JWT)

APIs power modern apps (mobile backends, microservices)—often less protected than web UIs.

• REST APIs — Common vulns: Broken auth, excessive data exposure, mass assignment. Fix: Rate limiting, input validation, proper HTTP methods.
• GraphQL — Flexible queries → over-fetching, introspection attacks. Fix: Disable introspection in prod, depth/complexity limits, persisted queries.
• OAuth — Authorization framework (e.g., “Login with Google”). Flows: Authorization Code (best for servers), PKCE (mobile/SPA). Fix: Use state/nonce, validate redirect_uri, short tokens.
• JWT (JSON Web Tokens) — Stateless auth tokens (header.payload.signature). Common issues: Weak alg (none/RS256 confusion), no exp/iat checks, weak secrets, kid header attacks. Fix: Strong alg (HS256/RS256), validate signature/claims, short expiry + refresh, store in HttpOnly cookies (not localStorage).

India example: Fake UPI app clones use stolen JWTs → drain wallets. Use OAuth2 + JWT with proper validation.

4. Secure SDLC and DevSecOps Introduction

Secure SDLC = Build security in every phase (requirements → design → code → test → deploy → maintain). DevSecOps = Shift-left: Security as code, automated in CI/CD (Dev + Sec + Ops).

Key practices (2026 standard):

• Threat modeling (STRIDE, PASTA).
• Secure coding guidelines (OWASP Cheat Sheets).
• SAST (Static: SonarQube, Semgrep), DAST (Dynamic: ZAP, Burp), SCA (Software Composition Analysis: OWASP Dependency-Check, Snyk).
• IaC scanning (Terraform/Checkov).
• Automated pentests in pipeline.
• Bug bounty + responsible disclosure.

Example (Indian fintech startup in Navi Mumbai): Old way: Code → deploy → breach. DevSecOps: Git commit → SAST scans for injection → SCA checks Log4j vulns → DAST runs ZAP → only passes → deploys. Catches 70%+ issues early.

Tools stack 2026: GitHub Actions + Semgrep + Dependabot + OWASP ZAP + SonarCloud.

That’s Chapter 8—your web/apps are now much harder to crack!