Escalating web application security threats necessitate deeper pedagogical and practical understanding of fundamental vulnerabilities. Method: This study leverages the teaching-oriented Gruyere vulnerability platform to systematically analyze the root causes, exploitation vectors, and mitigation mechanisms of OWASP Top 10 vulnerabilities—including SQL injection, XSS, and CSRF—by reproducing over ten classic vulnerability classes and empirically validating targeted remediations. Contribution/Results: The work reveals that foundational security principles underlying ostensibly obsolete vulnerabilities remain critically relevant to modern web architectures. Innovatively, Gruyere is refactored into an extensible security analysis framework, enabling rigorous pedagogy on vulnerability mechanics and evidence-based evaluation of defense strategies. This enhances both conceptual depth and hands-on capability in web security. The framework provides a reusable methodology for security education and lightweight protection design, bridging theoretical insight with practical implementation.

With the rapid development of Internet technologies, web systems have become essential infrastructures for modern information exchange and business operations. However, alongside their expansion, numerous security vulnerabilities have emerged, making web security a critical research focus within the broader field of cybersecurity. These issues are closely related to data protection, privacy preservation, and business continuity, and systematic research on web security is crucial for mitigating malicious attacks and enhancing the reliability and robustness of network systems. This paper first reviews the OWASP Top 10, summarizing the types, causes, and impacts of common web vulnerabilities, and illustrates their exploitation mechanisms through representative cases. Building upon this, the Gruyere platform is adopted as an experimental subject for analyzing known vulnerabilities. The study presents detailed reproduction steps for specific vulnerabilities, proposes comprehensive remediation strategies, and further compares Gruyere's vulnerabilities with contemporary real-world cases. The findings suggest that, although Gruyere's vulnerabilities are relatively outdated, their underlying principles remain highly relevant for explaining a wide range of modern security flaws. Overall, this research demonstrates that web system security analysis based on Gruyere not only deepens the understanding of vulnerability mechanisms but also provides practical support for technological innovation and security defense.