tanjilahmed87@gmail.com

Security7 min read

The OWASP Top 10, As I've Actually Seen Them Break Production

The OWASP list reads like theory until you've fixed each one in a real client codebase. Here's what they actually look like in the wild.

Tanjil Ahmed

Lead Software Engineer · Notionhive

Security audits get treated as a checkbox until an incident makes them personal. Having run audits across Laravel, WordPress, and Next.js codebases, the OWASP Top 10 stops being an academic list once you've seen each item cause a real breach.

Access control failures are the most common, by far

Broken object-level authorization — a user changing an ID in the URL and reaching someone else's record — is the single most common finding in every audit I've run. It's boring, it's not exotic, and it's the one that actually gets exploited, because it requires no special tooling to find.

  • Authorize at the query layer (scope every query to the requesting user), not just at the controller.
  • Treat every ID in a URL or payload as attacker-controlled input, always.
  • Log authorization failures distinctly from 404s — a spike in them is a signal, not noise.
  • Dependency vulnerabilities (A06) are usually caught by CI scanning that nobody wired up until after the incident.
Almost every serious breach I've reviewed didn't need a zero-day. It needed someone to change a number in the URL.