OWASP Top 10 2025: Insecure Data Handling
Platform: TryHackMe
Difficulty: Easy
Date: February 2026
Room: OWASP Top 10 2025: Insecure Data Handling
What I Practiced
Three vulnerabilities from the OWASP Top 10 (2025) list related to insecure data handling: Cryptographic Failures, Server Side Template Injection, and Insecure Deserialization.
Tools Used
- Browser
- Linux Terminal
- Python 3
What I Did
A04 - Cryptographic Failures: Analyzed a note-sharing web application that used a weak shared key for encryption. Identified the flaw in the key derivation and decrypted the protected notes to retrieve the flag.
A05 - Injection (SSTI): Found an input field that rendered user content through a Python template engine. Independently researched SSTI payloads, confirmed the vulnerability with a basic expression, then escalated to read a file from the server's filesystem.
A08 - Insecure Deserialization:
Identified that the application accepted and deserialized Python objects without validation. Independently researched Python's pickle module and wrote a malicious payload using the __reduce__ method to execute a file read command upon deserialization.
Flags
| Task | Flag |
|---|---|
| A04 - Cryptographic Failures | THM{WEAK_CRYPTO_FLAG} |
| A05 - Injection (SSTI) | THM{SSTI_FLAG_OBTAINED} |
| A08 - Insecure Deserialization | THM{INSECURE_DESERIALIZATION} |
Key Takeaway
Never deserialize untrusted data, and never render user input directly through a template engine, both can lead to remote code execution.