OWASP Top 10: audit and harden a vulnerable service

Audit a small web service (your own, OWASP Juice Shop, or the starter below) against the OWASP Top 10 (2021): find at least five findings across distinct categories, exploit each to confirm it, remediate at the root cause, and prove every fix with a repeatable before/after test.

• Stand up a small HTTP service with auth, at least one owned-resource endpoint (e.g. GET /api/invoices/:id), one server-side URL fetch (e.g. link/image preview), a CORS config, and a third-party dependency — your own, OWASP Juice Shop, or the starter.
• Run a structured audit mapping findings to the 2021 categories: A01 Broken Access Control (IDOR + missing function-level authz), A02 Cryptographic Failures, A03 Injection, A05 Security Misconfiguration, A06 Vulnerable & Outdated Components, and A10 SSRF. Record at least five findings across distinct categories.
• Prove each finding with a working request: e.g. read another user's record by editing an id, hit an admin endpoint as a non-admin via curl, point the URL fetcher at a link-local metadata address, or trigger a CORS reflection. Capture the exploit request and response.
• Remediate A01 at the root: scope every query to the caller (WHERE id = ? AND owner_id = ?) and gate privileged routes with a server-side role check, deny by default — never inferred from a hidden UI element or a client claim.
• Remediate A10 SSRF: allowlist scheme/host, resolve the destination IP and reject private/loopback/link-local ranges (re-checked after redirects), and lock down the cloud metadata endpoint (IMDSv2 or block 169.254.169.254).
• Remediate A05 + A06: replace any reflected-origin/credentialed CORS with a fixed trusted-origin allowlist, suppress verbose stack traces in prod, and upgrade the vulnerable dependency — generate an SBOM and add a CI dependency/CVE scan.
• Write each fix as a before/after test (failing exploit request → 403/404 after the fix) so the remediation is regression-proof, and add structured security logging for auth failures WITHOUT logging secrets.

• A findings table: each row names the OWASP 2021 category, the exploit request that proved it, the root-cause fix applied, and the test that now blocks it.
• The five-plus findings span distinct categories (not five variants of the same bug), with A01 covered by both an IDOR and a missing-function-level-authz example.
• Every fix has a repeatable test: the exact exploit request that worked before now returns 403/404 (authz), is rejected by the allowlist (SSRF/CORS), or is closed by the dependency upgrade — run live, not asserted.
• A one-paragraph write-up explaining, for at least one finding, why you fixed the root cause server-side rather than adding a WAF rule, an unguessable id, or a hidden UI element.