All skills
Skillintermediate

OWASP Top 10 Prevention

| # | Vulnerability | Prevention | |---|---------------|------------| | 1 | Injection | Parameterized queries, ORMs | | 2 | Broken Auth | Strong passwords, MFA, secure sessions | | 3 | Sensitive Data | Encryption at rest/transit | | 4 | XXE | Disable DTDs, use JSON | | 5 | Broken Access | Deny by default, server-side validation | | 6 | Misconfig | Security headers, disable defaults | | 7 | XSS | O

Claude Code Knowledge Pack7/10/2026

Overview

OWASP Top 10 Prevention

OWASP Top 10 Quick Reference

#VulnerabilityPrevention
1InjectionParameterized queries, ORMs
2Broken AuthStrong passwords, MFA, secure sessions
3Sensitive DataEncryption at rest/transit
4XXEDisable DTDs, use JSON
5Broken AccessDeny by default, server-side validation
6MisconfigSecurity headers, disable defaults
7XSSOutput encoding, CSP
8Insecure DeserializationSchema validation, allowlists
9Known VulnerabilitiesDependency scanning
10Insufficient LoggingLog security events

A01: Injection Prevention

// SQL Injection - Use parameterized queries
// ❌ Bad
const bad = `SELECT * FROM users WHERE id = ${userId}`;

// ✅ Good
const good = await db.query('SELECT * FROM users WHERE id = $1', [userId]);

// ✅ Good - Use ORM
const user = await prisma.user.findUnique({ where: { id: userId } });

// Command Injection - Avoid shell execution
// ❌ Bad
exec(`ls ${userInput}`);

// ✅ Good - Use library functions
const files = fs.readdirSync(safeDirectory);

A02: Broken Authentication

// Use bcrypt for passwords
const hash = await bcrypt.hash(password, 12);
const isValid = await bcrypt.compare(password, hash);

// Implement account lockout
if (failedAttempts >= 5) {
  await lockAccount(userId, 15 * 60 * 1000); // 15 min
}

// Use secure session configuration
app.use(session({
  secret: process.env.SESSION_SECRET,
  cookie: {
    httpOnly: true,
    secure: true,
    sameSite: 'strict',
    maxAge: 15 * 60 * 1000, // 15 minutes
  },
}));

A03: Sensitive Data Exposure

// Encrypt sensitive data at rest

function encrypt(text: string, key: Buffer): string {
  const iv = crypto.randomBytes(16);
  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
  // ... encryption logic
}

// Use HTTPS only
app.use((req, res, next) => {
  if (!req.secure) {
    return res.redirect(`https://${req.hostname}${req.url}`);
  }
  next();
});

A05: Broken Access Control

// Always validate on server side
async function getResource(userId: string, resourceId: string) {
  const resource = await db.resource.findUnique({ where: { id: resourceId } });

  // Verify ownership
  if (resource.ownerId !== userId) {
    throw new ForbiddenError('Access denied');
  }

  return resource;
}

// Use role-based access
function requireRole(...roles: string[]) {
  return (req: Request, res: Response, next: NextFunction) => {
    if (!roles.includes(req.user.role)) {
      return res.status(403).json({ error: 'Forbidden' });
    }
    next();
  };
}

A07: XSS Prevention

// Use Content Security Policy
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'"],
    styleSrc: ["'self'", "'unsafe-inline'"],
  },
}));

// Sanitize user input for HTML

const clean = DOMPurify.sanitize(userInput);

Quick Reference

AttackDefense
SQL InjectionParameterized queries
XSSOutput encoding, CSP
CSRFCSRF tokens
IDORAuthorization checks
Command InjectionAvoid exec(), validate input