Web Application Penetration Testing: OWASP Top 10 (2025) Practical Guide for Indian Developers

Why OWASP Top 10 Is Useful (and Where It Falls Short)

The OWASP Top 10 is the most widely-cited web application security awareness framework. The 2025 release continues the focus on application logic and business impact rather than purely technical vulnerability categories. Auditors, customers and regulators all reference it. Every Indian web app pentest report should map findings to OWASP categories.

Where OWASP Top 10 is useful: as a shared vocabulary between developers, security testers, auditors and management. As a checklist of must-test categories that no manual pentest should skip. As a reporting structure that buyers and auditors understand.

Where it falls short: it does not enumerate specific vulnerabilities, attack techniques or test cases. A real pentest finds 30-60 distinct issues that all map to OWASP categories but are far more specific. Business logic flaws, chained exploits and identity issues hide under broad OWASP buckets and require manual expertise to find.

OWASP Top 10 (2025) Categories: Practical Testing Approach

A01: Broken Access Control

The most common high-severity finding in Indian web app pentests. Tested via: horizontal IDOR (access another user's resource by changing ID parameter), vertical IDOR (regular user accessing admin function), missing authorisation on API endpoints (backend trusts client-side role enforcement), forced browsing to unlinked admin paths, JWT manipulation (algorithm confusion, weak signing keys, claim tampering). Modern SPA + API apps frequently have authorisation enforced only on the front-end with backend trusting client claims, a common high-severity finding.

A02: Cryptographic Failures

Tested via: weak hashing (MD5, SHA1 for passwords, unsalted hashes), weak TLS configuration (TLS 1.0/1.1 enabled, weak ciphers RC4/3DES, expired or self-signed certificates), missing HSTS, missing secure cookie flags, sensitive data in URLs or query strings, hardcoded keys in client-side code or repositories. Modern Indian SaaS apps often inherit cryptographic posture from cloud defaults (AWS/Azure/GCP) which is decent baseline but rarely tuned for the specific application threat model.

A03: Injection (SQL, NoSQL, OS Command, LDAP)

Despite ORMs and frameworks, injection remains common. Tested via: blind SQL injection on parameters that look safe (sort, search, filter), NoSQL injection on MongoDB/DynamoDB-backed APIs (operator injection), OS command injection on file processing endpoints, LDAP injection on authentication systems, template injection on report generation features. Server-side template injection (SSTI) on Jinja2/Twig/Handlebars-based reports is a frequent finding in Indian SaaS with custom reporting features.

A04: Insecure Design

Architectural and design-level issues rather than implementation bugs. Tested via: missing rate limiting on login, password reset, OTP endpoints (enables credential stuffing and OTP brute-force), weak account recovery flows (security questions, predictable tokens), business logic abuse (race conditions on payment, coupon stacking, refund abuse), insecure direct API design (over-fetching, under-protecting). These are not in scanner output; they require manual analysis of the application flow.

A05: Security Misconfiguration

Tested via: exposed admin interfaces (jenkins, kibana, swagger, phpmyadmin on internet), verbose error messages leaking stack traces or DB schema, missing security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy), default credentials on management interfaces, directory listing enabled on static asset directories, misconfigured CORS allowing arbitrary origins. Cloud misconfigurations (open S3 buckets, public storage containers, exposed metadata services) are tested under cloud configuration audit but often discovered during web app pentest.

A06: Vulnerable and Outdated Components

Tested via: dependency vulnerability scanning against known CVEs (npm audit, pip audit, snyk, Trivy), framework version disclosure in HTTP headers and error pages, verification that vulnerable libraries are actually exploitable in the application context. Not every CVE in node_modules is exploitable; the pentest filters real exploitable issues from theoretical vulnerabilities for which there is no exploitation path.

A07: Identification and Authentication Failures

Tested via: weak password policy (allows '123456', no complexity), username enumeration on login/signup/password-reset, missing or weak MFA on sensitive flows, session management flaws (predictable session tokens, missing session timeout, session fixation), OAuth/SAML implementation issues (open redirect, JWT confusion, weak signing keys), SSO bypass via direct authentication endpoints. Modern Indian SaaS apps with SSO/Okta/Azure AD integration frequently have direct-login endpoints that bypass SSO; this is a high-severity finding.

A08: Software and Data Integrity Failures

Tested via: insecure deserialisation on Java/Python/Ruby applications (Pickle, Hessian, ObjectInputStream), auto-update mechanisms without signature verification, CI/CD pipeline trust issues (unsigned artifacts, untrusted plugins), JavaScript supply chain risk (loading third-party scripts from CDNs without SRI). Frequent finding in older Indian enterprise Java applications.

A09: Security Logging and Monitoring Failures

Tested via: verification that security-relevant events are logged (failed logins, MFA challenges, privilege changes, admin actions), integration with centralised SIEM, alerting on suspicious patterns. This category is typically tested via interview + log inspection rather than active probing. Important for SOC 2 CC7.2/CC7.3 evidence and ISO 27001 A.8.15/A.8.16 controls.

A10: Server-Side Request Forgery (SSRF)

Tested via: SSRF on URL parameters (webhook configuration, image upload by URL, PDF generation, OAuth callback validation), blind SSRF detection via out-of-band channels (Burp Collaborator, custom DNS canaries), SSRF to cloud metadata endpoints (169.254.169.254 on AWS, 100.100.100.200 on Alibaba, custom on Azure/GCP). Cloud metadata SSRF is a high-severity finding in Indian SaaS hosted on AWS without IMDSv2 enforcement.

Modern Web App Twists: SPA, GraphQL, Edge Functions

Single-Page Applications (React, Vue, Angular, Svelte)

SPA frontends with REST/GraphQL backends are now standard in Indian SaaS. Key pentest concerns: client-side authorisation (frontend role enforcement that backend ignores), JavaScript secret exposure (API keys, signing secrets in bundles), routing-based access control bypass (deep linking to protected views without server check), JWT handling (storage in localStorage vs httpOnly cookie). Use browser dev tools, Burp Suite proxy, and manual code review of bundled JavaScript.

GraphQL APIs

GraphQL changes the pentest playbook. Key concerns: introspection-based attacks (use introspection to map full schema, identify hidden mutations), nested IDOR through related fields (a query that fetches user.organisation.members can leak across tenants if authorisation is per-query not per-field), query depth/cost abuse (DoS via deeply nested queries), batching abuse (rate limit bypass through batched queries). Disable introspection in production; implement per-field authorisation, not per-query.

Cloudflare / Vercel / Netlify / Edge Functions

Modern Indian SaaS often deploys on edge platforms (Cloudflare Workers, Vercel Edge Functions, Netlify Functions). Key concerns: origin server bypass if the origin's IP is discoverable (DNS history, certificate transparency leaks), edge function authorisation (function trusts headers Cloudflare strips for non-edge requests), cache poisoning via header manipulation, misconfigured page rules exposing admin paths to direct origin access. We test both edge and origin endpoints.