The Cyber Threat Perspective
Step into the ever-evolving world of cybersecurity with the offensive security group from SecurIT360. We’re bringing you fresh content from our journeys into penetration testing, threat research and various other interesting topics.
brad@securit360.com
The Cyber Threat Perspective
Episode 179: OWASP Top 10 Part 1 - Broken Access Control, IDOR, and CORS Explained
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In Episode 179 of the Cyber Threat Perspective podcast, host Brad Causey and web app pen tester Jordan Natter kick off a multi-part series on the OWASP Top 10, the newly updated list of the most common and critical web application security risks, with a fresh version released in 2025.
Before diving in, Brad sets the record straight on something that's been bugging him for 20 years: the OWASP Top 10 is an awareness document, not a compliance framework, not a pen test checklist, and not a comprehensive defense guide. If your vendor claims they "comply with the OWASP Top 10," that's a red flag — you can't comply with an awareness document.
Part 1 focuses entirely on A01: Broken Access Control — the most dangerous and most common category on the list — and the conversation goes deep with real-world stories from active engagements.
Topics covered include:
- What OWASP actually is — and why the Top 10 is both invaluable and widely misunderstood
- Broken Access Control — what it means, why it tops the list, and how it manifests in real applications
- JWT validation failures — a healthcare application where improper JWT handling allowed unauthorized access to admin functionality
- MFA bypass via broken access control — a university application where MFA codes weren't properly scoped, enabling account takeover
- CORS misconfigurations — how Cross-Origin Resource Sharing policies fail in modern Node and React applications, including a real story of bypassing CORS by allowing AWS resources
- Insecure Direct Object References (IDOR) — why IDOR isn't just about changing integer IDs, including a university app where changing a student ID number led to staff-level privilege escalation
- S3 bucket IDOR — how a modern web application exposed PHI by returning GUIDs in JSON responses that could be enumerated directly
- Hidden functionality as false security — why hiding admin URLs from the navigation bar is obscurity, not security, and how Jordan accessed an entire admin PDF panel as an unauthenticated user just by copying a URL
OWASP Top 10: https://owasp.org/Top10/2025/0x00_2025-Introduction/
Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov
Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com
Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.
