OWASP Top 10 — the speedrun tour

The OWASP Top 10 is the closest thing the security community has to a standard reading list. This lesson is the speedrun tour — one sentence per category, in plain English, mapped to real Grit endpoints. Later chapters attack each one hands-on.

A01 — Broken Access Control

What: User A can read or modify User B's data because the endpoint didn't check ownership.

In Grit: Forgetting WHERE user_id = ? on a list, or skipping the if note.UserID != userID check on an update. The most common bug in shipped APIs. Chapter 2 is entirely this.

A02 — Cryptographic Failures

What: Passwords stored unhashed, secrets committed to git, weak algorithms, no TLS on production.

In Grit: bcrypt is wired by default for passwords. JWT uses HS256 with a strong secret. Your job: don't commit .env; use real TLS in production.

A03 — Injection

What: User input executed as code. SQL injection, command injection, HTML injection (XSS).

In Grit: GORM parameterises by default — unless you fmt.Sprintf user input into a query. Templates auto-escape, unless you mark them as raw. Chapter 3.

A04 — Insecure Design

What: The system architecture itself is vulnerable — auth flow allows account takeover, password reset emails the token to the wrong address, etc.

In Grit: Architectural review at threat-model time catches most of these. Chapter 4 covers JWT pitfalls, which are usually A04.

A05 — Security Misconfiguration

What: Defaults left enabled (debug mode in prod, admin endpoints exposed, overly permissive CORS, no security headers).

In Grit: The defaults are reasonable. Your job: confirm GIN_MODE=release in prod, set explicit CORS origins, verify CSP headers are emitted. Chapter 5.

A06 — Vulnerable Components

What: Old dependencies with known CVEs.

In Grit: Grit's CI runs govulncheck and Dependabot is wired into the starter. Your job: don't ignore the alerts.

A07 — Identification + Authentication Failures

What: Brute force allowed, weak passwords permitted, sessions never expire, no MFA.

In Grit: Sentinel rate-limits login attempts. Password min-length is configurable. JWT expiry defaults to 15 min. TOTP MFA is included if you enable it.

A08 — Software + Data Integrity Failures

What: Trusting unverified updates, signed artefacts that aren't verified, supply chain attacks via compromised dependencies.

In Grit: Modules are pinned in go.sum and frontend deps via pnpm-lock. If you blindly run install scripts from a stranger's package, that's on you.

A09 — Logging + Monitoring Failures

What: No way to detect an attack. No way to replay what happened after it.

In Grit: Pulse provides request logging + timing per endpoint. Sensitive actions go through the audit log. Chapter 5 covers wiring this.

A10 — Server-Side Request Forgery (SSRF)

What: Your server fetches a URL the attacker supplies, hitting internal services (metadata endpoints, admin panels, AWS IMDS) the attacker can't reach directly.

In Grit: The safefetch package blocks private IP ranges by default. Every URL you fetch from user input should go through it. Chapter 3.

What this course covers, by chapter

• Ch.1 (here): Mindset — threat model + OWASP tour.
• Ch.2: Broken Access Control — A01 — IDOR hands-on.
• Ch.3: Injection + SSRF — A03 + A10.
• Ch.4: Auth + Secrets — A02 + A04 + A07.
• Ch.5: The Grit defensive stack — A05 + A06 + A09.

What's next

Chapter 2 — Broken Access Control. We'll write a deliberately-broken IDOR, exploit it, then ship the fix. The first hands-on attack of the course.