!ReadMe
New to Cybersecurity?View all articles

OWASP Top 10

The most critical web application security risks

Overview

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. This list is updated periodically to reflect emerging threats and vulnerabilities in the web application security landscape.

Why the OWASP Top 10 Matters

Understanding and addressing the OWASP Top 10 is crucial for several reasons:

  • • Provides a prioritized approach to application security
  • • Helps focus security efforts on the most impactful vulnerabilities
  • • Serves as a baseline for security testing and code reviews
  • • Widely recognized standard in the security industry
  • • Often referenced in compliance requirements and security frameworks

OWASP Top 10 (2021 Edition)

The latest OWASP Top 10 list was released in 2021, with significant changes from previous versions. The list reflects the evolving threat landscape and incorporates new categories based on data and community feedback.

Start Application Security Path
Related Resources

OWASP Testing Guide

Comprehensive web application testing methodology

OWASP Cheat Sheets

Practical guides for secure development

OWASP ASVS

Application Security Verification Standard

View All Resources
A01:2021
Critical
Broken Access Control
Restrictions on authenticated users are not properly enforced

Access Control Implementation

Design and implement effective access control mechanisms:

  • • Apply principle of least privilege
  • • Implement role-based access control (RBAC)
  • • Enforce access controls on server side
  • • Deny access by default
  • • Validate user permissions for all resources

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of data.

A02:2021
Critical
Cryptographic Failures
Failures related to cryptography that often lead to sensitive data exposure

Secure Data Protection

Implement proper cryptographic controls:

  • • Encrypt all sensitive data at rest and in transit
  • • Use strong, up-to-date algorithms and protocols
  • • Implement proper key management
  • • Disable caching for sensitive data
  • • Apply proper certificate validation

Cryptographic failures can expose sensitive data, including passwords, credit card numbers, health records, personal information, and business secrets, leading to identity theft, fraud, or other harm.

A03:2021
Critical
Injection
User-supplied data is not validated, filtered, or sanitized

Preventing Injection

Implement secure coding practices:

  • • Use parameterized queries for database access
  • • Validate and sanitize all user inputs
  • • Use ORM frameworks with proper escaping
  • • Apply context-specific output encoding
  • • Implement proper error handling

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query, tricking the interpreter into executing unintended commands or accessing data without proper authorization.

A04:2021
High
Insecure Design
Failures in design and architecture that lead to security issues

Secure Design Principles

Implement security by design:

  • • Conduct threat modeling during design
  • • Use secure design patterns and principles
  • • Implement defense in depth strategies
  • • Design with failure in mind
  • • Integrate security requirements into user stories

Insecure design refers to various weaknesses that occur related to design and architectural flaws, where a proper security design could have prevented them. This is distinct from implementation flaws.

A05:2021
High
Security Misconfiguration
Improper implementation of controls intended to keep application data safe

Secure Configuration Management

Ensure all components are securely configured and maintained:

  • • Remove unnecessary features and components
  • • Maintain a secure configuration baseline
  • • Implement automated configuration checks
  • • Apply security headers and directives
  • • Keep all software components updated

Security misconfiguration is the most commonly seen issue, often resulting from insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, or verbose error messages containing sensitive information.

A06:2021
High
Vulnerable and Outdated Components
Using components with known vulnerabilities

Component Management

Implement proper dependency management:

  • • Maintain an inventory of all components
  • • Remove unused dependencies
  • • Only obtain components from official sources
  • • Monitor for vulnerabilities in dependencies
  • • Establish a patch management process

Applications using components with known vulnerabilities may undermine application defenses and enable various attacks. Components can include libraries, frameworks, and other software modules that run with the same privileges as the application.

A07:2021
High
Identification and Authentication Failures
Incorrectly implemented authentication and session management

Secure Authentication

Implement robust authentication controls:

  • • Implement multi-factor authentication
  • • Use strong password policies
  • • Implement proper session management
  • • Protect against automated attacks
  • • Implement secure credential recovery

Authentication failures can allow attackers to assume other users' identities. Due to the prevalence of password reuse, the impact of such flaws can extend beyond the application itself, leading to full account takeover.

A08:2021
High
Software and Data Integrity Failures
Code and infrastructure that does not protect against integrity violations

Integrity Protection

Implement controls to ensure integrity:

  • • Verify the integrity of software updates
  • • Use digital signatures for code and data
  • • Implement secure CI/CD pipelines
  • • Validate data from untrusted sources
  • • Use immutable deployment artifacts

Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. This can occur when applications rely on plugins, libraries, or modules from untrusted sources, repositories, or CDNs.

A09:2021
Medium
Security Logging and Monitoring Failures
Insufficient logging and monitoring to detect and respond to security incidents

Effective Monitoring

Implement comprehensive logging and monitoring:

  • • Log all security-relevant events
  • • Ensure logs are in a format suitable for consumption
  • • Implement real-time monitoring and alerting
  • • Establish incident response procedures
  • • Protect log data from tampering

Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring, and active response occurs any time security-relevant events are not logged, not monitored, or not acted upon when detected.

A10:2021
Medium
Server-Side Request Forgery (SSRF)
Web application fetches a remote resource without validating the user-supplied URL

SSRF Prevention

Implement controls to prevent SSRF:

  • • Sanitize and validate all client-supplied input data
  • • Enforce URL schema, port, and destination with allowlists
  • • Do not send raw responses to clients
  • • Disable HTTP redirections
  • • Segment remote resource access functionality

SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or VPN.