Day 1: OWASP Top 10 and Attack Surfaces

Today's Objective

Map the attack surface of a modern web application. SQL injection, XSS, IDOR, and SSRF — not as abstract CVEs but as live exploits you run in a lab environment today.

How JWT Authentication Works

A JWT is a signed token containing claims (user ID, email, roles). The server creates it on login and the client sends it with every request. The server verifies the signature — no database lookup required.

JWT Structure

# A JWT looks like:
# eyJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOjEsImV4cCI6MTcwMH0.abc123

# Three parts, base64-encoded and separated by dots:
# HEADER.PAYLOAD.SIGNATURE

# Header: {"alg": "HS256", "typ": "JWT"}
# Payload: {"userId": 1, "exp": 1700000000}
# Signature: HMAC-SHA256(header + "." + payload, SECRET_KEY)

Terminal

npm install jsonwebtoken bcrypt express

auth.js — Login and JWT Issuance

const jwt = require('jsonwebtoken');
const bcrypt = require('bcrypt');

const JWT_SECRET = process.env.JWT_SECRET; // Long random string
const JWT_EXPIRY = '15m'; // Short-lived access tokens

// Login endpoint
app.post('/login', async (req, res) => {
  const { email, password } = req.body;
  
  // Look up user
  const user = await User.findByEmail(email);
  if (!user) return res.status(401).json({ error: 'Invalid credentials' });
  
  // Verify password (bcrypt compares hash)
  const valid = await bcrypt.compare(password, user.passwordHash);
  if (!valid) return res.status(401).json({ error: 'Invalid credentials' });
  
  // Issue JWT
  const token = jwt.sign(
    { userId: user.id, email: user.email, role: user.role },
    JWT_SECRET,
    { expiresIn: JWT_EXPIRY }
  );
  
  res.json({ token });
});

// Authentication middleware
function requireAuth(req, res, next) {
  const authHeader = req.headers.authorization;
  if (!authHeader?.startsWith('Bearer ')) {
    return res.status(401).json({ error: 'No token provided' });
  }
  
  const token = authHeader.slice(7);
  
  try {
    const decoded = jwt.verify(token, JWT_SECRET);
    req.user = decoded;
    next();
  } catch (error) {
    if (error.name === 'TokenExpiredError') {
      return res.status(401).json({ error: 'Token expired' });
    }
    return res.status(401).json({ error: 'Invalid token' });
  }
}

// Protected route
app.get('/profile', requireAuth, (req, res) => {
  res.json({ user: req.user });
});

⚠️

Critical security rules for JWTs:
• Never store JWTs in localStorage — use httpOnly cookies for web apps
• Use short expiry times (15 min) with refresh tokens for long sessions
• The JWT_SECRET must be a long random string (32+ chars), never hardcoded
• Never put sensitive data (passwords, SSN) in the payload — it is base64, not encrypted

Day 1 Exercise

Build a JWT Auth Flow

Create a simple Express app with the login endpoint and requireAuth middleware.
Test the login endpoint — verify you get a JWT back.
Decode the JWT at jwt.io and read the payload.
Call a protected endpoint with and without the token.
Test with an expired token (set expiry to 1s in testing).

Day 1 Summary

JWTs contain signed claims — the server verifies the signature without a database lookup.
Use short expiry times (15 min) and refresh tokens for long sessions.
Never store JWTs in localStorage for web apps — httpOnly cookies are more secure.
The signature makes JWTs tamper-evident, not encrypted — do not put secrets in the payload.

Day 2: OAuth and Social Login

→

What's Next

The foundations from today carry directly into Day 2. In the next session the focus shifts to Authentication and Session Security — building directly on everything covered here.

Supporting Videos & Reading

Go deeper with these external references.

YouTube

OWASP Top 10 and Attack Surfaces — Video Walkthroughs Community tutorials and walkthroughs covering the concepts in this lesson.

→

YouTube

OWASP Top 10 and Attack Surfaces Explained Deep-dive explanations and live-coding sessions from top educators.

→

Official Docs

Official Documentation Primary reference documentation for the technologies covered in this lesson.

→

GitHub

Open Source Examples Real-world codebases demonstrating the patterns taught in this lesson.

→

Day 1 Checkpoint

Before moving on, verify you can answer these without looking:

What is the core concept introduced in this lesson, and why does it matter?
What are the two or three most common mistakes practitioners make with this topic?
Can you explain the key code pattern from this lesson to a colleague in plain language?
What would break first if you skipped the safeguards or best practices described here?
How does today's topic connect to what comes in Day 2?

Live Bootcamp

Learn this in person — 2 days, 5 cities

Thu–Fri sessions in Denver, Los Angeles, New York, Chicago, and Dallas. $1,490 per seat. June–October 2026.

Reserve Your Seat →

Continue To Day 2

Day 2

→