The Cyber Threat Perspective·Apr 30, 2026·28m·Episode #179

Episode 179: OWASP Top 10 Part 1 - Broken Access Control, IDOR, and CORS Explained

Show notes

Before diving in, Brad sets the record straight on something that's been bugging him for 20 years: the OWASP Top 10 is an awareness document, not a compliance framework, not a pen test checklist, and not a comprehensive defense guide. If your vendor claims they "comply with the OWASP Top 10," that's a red flag — you can't comply with an awareness document.

Part 1 focuses entirely on A01: Broken Access Control — the most dangerous and most common category on the list — and the conversation goes deep with real-world stories from active engagements.

Topics covered include:

What OWASP actually is — and why the Top 10 is both invaluable and widely misunderstood
Broken Access Control — what it means, why it tops the list, and how it manifests in real applications
JWT validation failures — a healthcare application where improper JWT handling allowed unauthorized access to admin functionality
MFA bypass via broken access control — a university application where MFA codes weren't properly scoped, enabling account takeover
CORS misconfigurations — how Cross-Origin Resource Sharing policies fail in modern Node and React applications, including a real story of bypassing CORS by allowing AWS resources
Insecure Direct Object References (IDOR) — why IDOR isn't just about changing integer IDs, including a university app where changing a student ID number led to staff-level privilege escalation
S3 bucket IDOR — how a modern web application exposed PHI by returning GUIDs in JSON responses that could be enumerated directly
Hidden functionality as false security — why hiding admin URLs from the navigation bar is obscurity, not security, and how Jordan accessed an entire admin PDF panel as an unauthenticated user just by copying a URL

OWASP Top 10: https://owasp.org/Top10/2025/0x00_2025-Introduction/

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://x.com/cyberthreatpov

Follow Spencer on social ⬇
Spencer's Links: https://spenceralessi.com

Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here.

← Previous

Episode 178: Internal Security Controls That Actually Frustrate Attackers

In Episode 179 of the Cyber Threat Perspective podcast, host Brad Causey and web app pen tester Jordan Natter kick off a multi-part series on the OWASP Top 10, the newly updated list of the most common and critical web application security risks, with a fresh version released in 2025. Before diving in, Brad sets the record straight on something that's been bugging him for 20 years: the OWASP Top 10 is an awareness document, not a compliance framework, not a pen test checklist, and not a comprehensive defense guide. If your vendor claims they "comply with the OWASP Top 10," that's a red flag — you can't comply with an awareness document. Part 1 focuses entirely on A01: Broken Access Control — the most dangerous and most common category on the list — and the conversation goes deep with real-world stories from active engagements. Topics covered include: What OWASP actually is — and why the Top 10 is both invaluable and widely misunderstood Broken Access Control — what it means, why it tops the list, and how it manifests in real applications JWT validation failures — a healthcare application where improper JWT handling allowed unauthorized access to admin functionality MFA bypass via broken access control — a university application where MFA codes weren't properly scoped, enabling account takeover CORS misconfigurations — how Cross-Origin Resource Sharing policies fail in modern Node and React applications, including a real story of bypassing CORS by allowing AWS resources Insecure Direct Object References (IDOR) — why IDOR isn't just about changing integer IDs, including a university app where changing a student ID number led to staff-level privilege escalation S3 bucket IDOR — how a modern web application exposed PHI by returning GUIDs in JSON responses that could be enumerated directly Hidden functionality as false security — why hiding admin URLs from the navigation bar is obscurity, not security, and how Jordan accessed an entire admin PDF panel as an unauthenticated user just by copying a URL OWASP Top 10: https://owasp.org/Top10/2025/0x00_2025-Introduction/ Blog: https://offsec.blog/ Youtube: https://www.youtube.com/@cyberthreatpov Twitter: https://x.com/cyberthreatpov Follow Spencer on social ⬇ Spencer's Links: https://spenceralessi.com Work with Us: https://securit360.com | Find vulnerabilities that matter, learn about how we do internal pentesting here .