Security  

Understanding OWASP Top 10 with Real-World .NET Examples

Application security is more critical than ever. According to industry reports, most data breaches are caused by exploitable software vulnerabilities. The OWASP Top 10 is a standard awareness document for developers that represents the most critical web application security risks.

In this article, we’ll explore the OWASP Top 10 (2021 edition) with real-world .NET examples that you can apply in ASP.NET Core MVC & Web API applications.

1. Broken Access Control

Issue: Users gain access to resources or actions they shouldn’t.

Example (Bad) 

  
    // Anyone can access admin dashboard
public IActionResult AdminDashboard() => View();

Solution 

  
    [Authorize(Roles = "Admin")]
public IActionResult AdminDashboard() => View();

2. Cryptographic Failures

Issue: Sensitive data (passwords, credit card numbers) is not properly encrypted.

Example (Bad) 

  
    var password = "UserPassword123"; // stored in plain text

Solution 

  
    var hashedPassword = _passwordHasher.HashPassword(user, password);

Always use ASP.NET Core Identity hashing or strong algorithms (PBKDF2, Argon2).

3. Injection

Issue: SQL injection through unvalidated input.

Example (Bad) 

  
    var user = db.Users.FromSqlRaw($"SELECT * FROM Users WHERE Email = '{email}'").FirstOrDefault();

Solution 

  
    var user = await db.Users.FirstOrDefaultAsync(u => u.Email == email);

Always use parameterized queries or LINQ with EF Core.

4. Insecure Design

  • Issue: Application lacks security-by-design principles.

  • Example: Exposing APIs without rate limiting.

Solution 

  
    // Add rate limiting in Program.cs
builder.Services.AddRateLimiter(options =>
{
    options.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(
        _ => RateLimitPartition.GetFixedWindowLimiter("global", _ => new FixedWindowRateLimiterOptions
        {
            PermitLimit = 100,
            Window = TimeSpan.FromMinutes(1)
        }));
});

5. Security Misconfiguration

  • Issue: Default settings expose sensitive info.

  • Example (Bad): Showing stack traces in production.

Solution 

  
    if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Home/Error");
    app.UseHsts();
}

6. Vulnerable & Outdated Components

Issue: Using outdated NuGet packages with known vulnerabilities.

Solution 

  
    dotnet list package --vulnerable

Keep dependencies updated and patch regularly.

7. Identification & Authentication Failures

Issue: Weak authentication mechanisms.

Example (Bad) 

  
    if (username == "admin" && password == "1234") { ... }

Solution

  • Use ASP.NET Core Identity or OAuth2/OpenID Connect.

  • Enforce MFA and password policies.

8. Software & Data Integrity Failures

Issue: Applications rely on insecure updates or untrusted data.

Solution

  • Validate all external data sources (files, APIs).

  • Enable package integrity checks in NuGet.

  • Implement code signing for updates.

9. Security Logging & Monitoring Failures

Issue: Attacks go undetected due to inadequate logging.

Solution 

  
    Log.Logger = new LoggerConfiguration()
    .WriteTo.File("logs/security.log")
    .CreateLogger();

Log authentication attempts, errors, and unusual activity, and integrate with Azure Monitor/SIEM.

10. Server-Side Request Forgery (SSRF)

Issue: Application fetches remote resources without validation.

Example (Bad) 

  
    var response = await httpClient.GetStringAsync(userProvidedUrl);

Solution

  • Whitelist trusted domains.

  • Validate and sanitize input URLs before making requests.

Key Takeaways

  • The OWASP Top 10 provides a foundation for secure coding.

  • In ASP.NET Core, most risks can be mitigated with built-in features (Identity, Data Protection, Middleware).

  • Security must be a continuous practice, not a one-time fix.

Final Thoughts

By applying the OWASP Top 10 guidelines in your .NET applications, you reduce risks of breaches, protect sensitive data, and build trust with users.

Membership not found