OWASP Top 10

The most critical web application security risks as identified by the Open Web Application Security Project. Updated for 2021. Every developer, security professional, and organization building web applications should understand and address these risks.

What is the OWASP Top 10?

The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source projects, hundreds of chapters worldwide, and educational conferences, OWASP provides a trusted standard for web application security.

The OWASP Top 10 is a standard awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications and is updated regularly to reflect the evolving threat landscape. Every developer, security professional, and organization building web applications should understand and address these risks.

A01

A01:2021 - Broken Access Control

Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and data, such as other users' accounts, sensitive files, or modify access rights.

Common Vulnerabilities

  • Insecure Direct Object References (IDOR)
  • Privilege Escalation
  • Missing function-level access control
  • CORS misconfiguration
  • Server-Side Request Forgery (SSRF)

Prevention

  • Deny by default; enforce access controls at every level
  • Implement access control checks consistently across the application
  • Disable directory listing on web servers
  • Log and alert on access control failures
A02

A02:2021 - Cryptographic Failures

Failures related to cryptography which often leads to sensitive data exposure. This includes weak algorithms, improper key management, and missing encryption.

Common Issues

  • Cleartext data transmission (HTTP, FTP, SMTP)
  • Weak algorithms (MD5, SHA1)
  • Hardcoded cryptographic keys
  • Missing TLS enforcement

Prevention

  • Classify data and apply controls based on classification
  • Enforce TLS for all data in transit
  • Avoid storing sensitive data; encrypt it at rest if necessary
  • Use strong, current algorithms and proper key management
A03

A03:2021 - Injection

User-supplied data is not validated, filtered, or sanitized by the application. This includes SQL, NoSQL, OS command, ORM, LDAP, and Expression Language injection.

Common Types

  • SQL Injection
  • Command Injection
  • LDAP Injection
  • XPath Injection
  • NoSQL Injection

Prevention

  • Use parameterized queries and prepared statements
  • Implement strict input validation and whitelisting
  • Escape special characters in output
  • Use ORMs and LIMIT clauses to reduce impact
A04

A04:2021 - Insecure Design

A category representing different weaknesses in the design phase, where security controls are not properly designed or are missing entirely.

Common Issues

  • Missing threat modeling
  • Insecure design patterns
  • Missing security controls in architecture
  • Insufficient business logic validation

Prevention

  • Establish a secure development lifecycle (SDLC)
  • Use threat modeling during design
  • Write and reuse secure design patterns and reference architectures
  • Implement defense in depth at the design level
A05

A05:2021 - Security Misconfiguration

Insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages.

Common Issues

  • Default credentials still enabled
  • Unnecessary features enabled (ports, services, pages)
  • Missing security headers (CSP, HSTS, X-Frame-Options)
  • Verbose error messages revealing stack traces
  • Open S3 buckets or cloud storage permissions

Prevention

  • Implement a hardened, automated build and deploy process
  • Use a minimal platform with only required features
  • Review and update cloud permissions regularly
  • Use segmented application architecture
A06

A06:2021 - Vulnerable and Outdated Components

Using components with known vulnerabilities, outdated software, no version tracking, not scanning for vulnerabilities, and not fixing the underlying platform in a timely manner.

Common Issues

  • Unpatched software and frameworks
  • End-of-life (EOL) software still in use
  • Unused dependencies introducing unnecessary risk
  • Lack of version inventory and vulnerability monitoring

Prevention

  • Remove unused dependencies, features, and documentation
  • Maintain an inventory of component versions
  • Monitor CVE and NVD for vulnerabilities in dependencies
  • Only obtain components from official sources over secure links
A07

A07:2021 - Identification and Authentication Failures

Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks.

Common Issues

  • Credential stuffing attacks
  • Brute force attacks
  • Weak or default passwords allowed
  • Missing multi-factor authentication (MFA)
  • Session fixation and session hijacking

Prevention

  • Implement multi-factor authentication (MFA)
  • Avoid default credentials and weak passwords
  • Limit and delay failed login attempts
  • Follow NIST authentication guidelines
A08

A08:2021 - Software and Data Integrity Failures

Code and infrastructure that does not protect against integrity violations, insecure CI/CD pipelines, and auto-update mechanisms without sufficient integrity verification.

Common Issues

  • Insecure deserialization
  • Unsigned updates or packages
  • Compromised CI/CD pipelines
  • Insecure CDN or content delivery mechanisms

Prevention

  • Use digital signatures to verify software and data integrity
  • Ensure libraries and dependencies are consumed from trusted repositories
  • Ensure CI/CD pipelines have proper segregation and configuration
  • Avoid sending unsigned or unverified packages to production
A09

A09:2021 - Security Logging and Monitoring Failures

Insufficient logging, detection, monitoring, and active response allows attackers to further attack systems, maintain persistence, and tamper with data.

Common Issues

  • Missing audit logs for login and access control events
  • Logs only stored locally, easily tampered with
  • No alerting thresholds or anomaly detection
  • Penetration tests and DAST scans do not trigger alerts

Prevention

  • Log all login events, access control failures, and server-side input validation failures
  • Use a centralized log management solution
  • Establish effective monitoring and alerting for suspicious activity
  • Establish and follow an incident response and recovery plan
A10

A10:2021 - Server-Side Request Forgery (SSRF)

SSRF flaws occur whenever a web application fetches a remote resource without validating the user-supplied URL, allowing an attacker to coerce the application to send crafted requests to unexpected destinations.

Common Issues

  • Internal service scanning via crafted URLs
  • File access through file:// protocol
  • Cloud metadata endpoint access (e.g., 169.254.169.254)
  • Port scanning internal networks from the server

Prevention

  • Sanitize and validate all client-supplied input data
  • Enforce URL schema, port, and destination with an allow list
  • Segment remote resource access in separate networks
  • Disable HTTP redirections