Sign up to save your podcasts
Or
Share Episode 179: OWASP Top 10 Part 1 - Broken Access Control, IDOR, and CORS Explained
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Episode 179: OWASP Top 10 Part 1 - Broken Access Control, IDOR, and CORS Explained
In Episode 179 of the Cyber Threat Perspective podcast, host Brad Causey and web app pen tester Jordan Natter kick off a multi-part series on the OWASP Top 10, the newly updated list of the most common and critical web application security risks, with a fresh version released in 2025.
Before diving in, Brad sets the record straight on something that's been bugging him for 20 years: the OWASP Top 10 is an awareness document, not a compliance framework, not a pen test checklist, and not a comprehensive defense guide. If your vendor claims they "comply with the OWASP Top 10," that's a red flag — you can't comply with an awareness document.
Part 1 focuses entirely on A01: Broken Access Control — the most dangerous and most common category on the list — and the conversation goes deep with real-world stories from active engagements.
Topics covered include:
- What OWASP actually is — and why the Top 10 is both invaluable and widely misunderstood
- Broken Access Control — what it means, why it tops the list, and how it manifests in real applications
- JWT validation failures — a healthcare application where improper JWT handling allowed unauthorized access to admin functionality
- MFA bypass via broken access control — a university application where MFA codes weren't properly scoped, enabling account takeover
- CORS misconfigurations — how Cross-Origin Resource Sharing policies fail in modern Node and React applications, including a real story of bypassing CORS by allowing AWS resources
- Insecure Direct Object References (IDOR) — why IDOR isn't just about changing integer IDs, including a university app where changing a student ID number led to staff-level privilege escalation
- S3 bucket IDOR — how a modern web application exposed PHI by returning GUIDs in JSON responses that could be enumerated directly
- Hidden functionality as false security — why hiding admin URLs from the navigation bar is obscurity, not security, and how Jordan accessed an entire admin PDF panel as an unauthenticated user just by copying a URL
OWASP Top 10: https://owasp.org/Top10/2025/0x00_2025-Introduction/
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.
View all episodes
By SecurIT360
5
1515 ratings
In Episode 179 of the Cyber Threat Perspective podcast, host Brad Causey and web app pen tester Jordan Natter kick off a multi-part series on the OWASP Top 10, the newly updated list of the most common and critical web application security risks, with a fresh version released in 2025.
Before diving in, Brad sets the record straight on something that's been bugging him for 20 years: the OWASP Top 10 is an awareness document, not a compliance framework, not a pen test checklist, and not a comprehensive defense guide. If your vendor claims they "comply with the OWASP Top 10," that's a red flag — you can't comply with an awareness document.
Part 1 focuses entirely on A01: Broken Access Control — the most dangerous and most common category on the list — and the conversation goes deep with real-world stories from active engagements.
Topics covered include:
- What OWASP actually is — and why the Top 10 is both invaluable and widely misunderstood
- Broken Access Control — what it means, why it tops the list, and how it manifests in real applications
- JWT validation failures — a healthcare application where improper JWT handling allowed unauthorized access to admin functionality
- MFA bypass via broken access control — a university application where MFA codes weren't properly scoped, enabling account takeover
- CORS misconfigurations — how Cross-Origin Resource Sharing policies fail in modern Node and React applications, including a real story of bypassing CORS by allowing AWS resources
- Insecure Direct Object References (IDOR) — why IDOR isn't just about changing integer IDs, including a university app where changing a student ID number led to staff-level privilege escalation
- S3 bucket IDOR — how a modern web application exposed PHI by returning GUIDs in JSON responses that could be enumerated directly
- Hidden functionality as false security — why hiding admin URLs from the navigation bar is obscurity, not security, and how Jordan accessed an entire admin PDF panel as an unauthenticated user just by copying a URL
OWASP Top 10: https://owasp.org/Top10/2025/0x00_2025-Introduction/
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.
More shows like The Cyber Threat Perspective
View all
CyberWire Daily
1,027 Listeners
Darknet Diaries
8,052 Listeners
Cybersecurity Headlines
136 Listeners