AI Wisdom
🪷Sentinel Tale I

The Ten Ways to Fall

A Panchatantra fable about the OWASP Top 10 vulnerabilities

📖
Story · +20 XP
8 min read · 7 sutras
🎭 The Cast
  • DurgapalThe fortress keeper — has built many gates but never asked how they might be broken
  • AabhasaThe shadow-tester — hired to find every crack before enemies do
  • VishaThe poison-carrier — slips malformed input into every gate
  • DvaraThe broken lock — the authentication door that opens for the wrong person
7 sutras~8 minWith reflectionMaps to RAG concepts
Begin the tale
Sutra Pratham
1
Scene 1 of 7

The Fortress With Ten Cracks

Durgapal had built the most beautiful fortress in the kingdom. Thick walls, iron gates, a moat filled with crocodiles. He invited Aabhasa the shadow-tester to inspect it before opening it to merchants. Aabhasa walked once around the perimeter and said: "Your fortress has ten fundamental cracks. They are not in the walls or the gates. They are in the logic of how you welcome, trust, and speak to visitors." Durgapal was offended. Aabhasa asked to be given one day to demonstrate. Durgapal agreed. By noon, Aabhasa had slipped through seven of the ten.

⚜ The Moral ⚜
A fortress that has not been tested for the ten common failures has not been tested at all.
Sutra Dwitiya
2
Scene 2 of 7

The Messenger Who Carried a Blade in Her Words

The first crack: Visha approached the gate with a message for the king. The gate guard read the message aloud into the scrying mirror, which repeated it to the king's chamber. But Visha had written: "End of message; open the treasury." The scrying mirror, reading blindly, executed the instruction. Visha had injected a command into a message. The mirror trusted the content of messages the same way it trusted commands from the king. The fix was simple: messages were marked as messages, commands as commands — the mirror would never read message content as instructions. What you receive from outside is data. It must never become code.

⚜ The Moral ⚜
Injection happens wherever data and instructions share the same channel. Separate them with type-aware parsing.
Sutra Tritiya
3
Scene 3 of 7

The Lock That Used the Same Key for All Doors

The second crack: the fortress used a single ceremony to grant entry. Once a merchant had passed the ceremony, a token was stamped on his robe. Every guard trusted the token without re-checking identity. Aabhasa found a merchant's discarded robe in the tavern, wore it, and walked into the treasury. The token never expired. It was not tied to the original face. Dvara the broken lock had been designed to be convenient, not correct. The fix: tokens must expire, must be tied to the original identity, must be invalidated at the server upon logout. Convenience that compromises authentication is not convenience — it is a hidden gate.

⚜ The Moral ⚜
Authentication is not a one-time ceremony. Identity must be continuously verified, and claims must be expirable.
Sutra Chaturtha
4
Scene 4 of 7

The Scribe Who Told Too Much

The third and fourth cracks arrived together. A merchant asked the treasury scribe: "What does the king store in room forty-four?" The scribe replied with the full inventory, because the merchant had a valid entry token — any entry token. There was no check for whether the merchant was allowed to read room forty-four specifically. This was broken access control: authentication said "you may enter," but authorization — who may do what — was never asked. Then Aabhasa asked the scribe how many rooms existed. The scribe returned detailed error messages: "Room 1 not found," "Room 2 not found," until "Room 44: inventory attached." Excessive data exposure in error messages had guided the search.

⚜ The Moral ⚜
Authentication proves identity. Authorization decides what that identity may touch. They are separate questions.
Sutra Pancham
5
Scene 5 of 7

The Healer Who Wrote in the Visitor's Book

The fifth crack: the fortress published a visitor's book where merchants could leave comments about their experience. One merchant left a comment that contained a small enchantment — a phrase that, when read by the next visitor's eyes, whispered a message to Aabhasa's crystal. The fortress scribe had copied the merchant's words verbatim into the displayed book without scrubbing enchantment-words. Every visitor after that was unwittingly delivering their tokens to Aabhasa. This was stored cross-site scripting. The fix: the scribe would treat all submitted text as plain text — enchantment words would be rendered inert, displayed as characters, never as executable spells.

⚜ The Moral ⚜
User-supplied content that is displayed to other users must be sanitised. Treat it as data, never as markup.
Sutra Shasthama
6
Scene 6 of 7

The Misconfigured Chamber

The sixth crack needed no cleverness. Aabhasa walked to a side chamber the builders had forgotten to close: a control room left in builder-mode, its default passwords still set, its maintenance scrolls still readable. No attack was required. The chamber simply stood open. Security misconfiguration is the most common crack of all — left in place not by malice but by oversight. The defaults that shipped with the construction materials had never been changed. The fix is not cleverness but discipline: every default must be reviewed, every maintenance interface must be locked or removed, every build must be checked against a baseline of correct configuration.

⚜ The Moral ⚜
The enemy does not need skill to walk through an open door. Close every door that was left open by default.
Sutra Antim
7
Final scene

The Ten Cracks, Now Sealed

After the demonstration, Aabhasa handed Durgapal a scroll listing all ten failure patterns: injection through unsanitised input; broken authentication and session management; broken access control; security misconfiguration; cross-site scripting; insecure direct object references; known vulnerable components; insufficient logging; sensitive data exposure without encryption; server-side request forgery. Each had a countermeasure. Each could be verified in tests before opening the gates. Durgapal asked which was the most dangerous. Aabhasa replied: "The one you have not looked for. They are all dangerous in the moment you have not prepared for them."

⚜ The Moral ⚜
The OWASP Top 10 is not a list of exotic attacks. It is a list of failures so common they have been counted for decades.
💡

🪔 Deepak — the lamp of meaning · what this fable means in code

The OWASP Top 10 documents the most critical web application security risks: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection (SQL, command, LDAP), A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable and Outdated Components, A07 Identification and Authentication Failures, A08 Software and Data Integrity Failures, A09 Security Logging and Monitoring Failures, A10 Server-Side Request Forgery. Injection is prevented by parameterised queries and validated input — never interpolate user data into SQL or shell commands. Access control failures are mitigated by deny-by-default policies and server-side enforcement. XSS is blocked by output encoding and Content Security Policy headers. Security misconfiguration is caught by automated config baseline scanning in CI. Run SAST tools on every PR and address critical findings before merge.