OWASP Top 10
OWASP Top 10 (2021)
Section titled “OWASP Top 10 (2021)”The 10 most critical web application security risks published by OWASP.
The List
Section titled “The List”A01: Broken Access Control
Section titled “A01: Broken Access Control”Users can access resources beyond their intended permissions.
# Example: IDORGET /api/users/123/profile ← user 456 can access thisA02: Cryptographic Failures
Section titled “A02: Cryptographic Failures”Using weak encryption algorithms or failing to encrypt sensitive data.
A03: Injection
Section titled “A03: Injection”SQL Injection, XSS, Command Injection…
-- SQL Injection exampleSELECT * FROM users WHERE id = '1' OR '1'='1'A04: Insecure Design
Section titled “A04: Insecure Design”Missing security controls in the design phase, not implementation bugs.
A05: Security Misconfiguration
Section titled “A05: Security Misconfiguration”Misconfigured servers, frameworks, or cloud services.
A06: Vulnerable Components
Section titled “A06: Vulnerable Components”Using libraries/frameworks with known vulnerabilities.
A07: Authentication Failures
Section titled “A07: Authentication Failures”Flaws in authentication - brute force, weak passwords, session fixation.
A08: Software & Data Integrity Failures
Section titled “A08: Software & Data Integrity Failures”Failing to verify integrity of software updates and CI/CD pipelines.
A09: Logging & Monitoring Failures
Section titled “A09: Logging & Monitoring Failures”Insufficient logging and monitoring, making attacks undetectable.
A10: SSRF (Server-Side Request Forgery)
Section titled “A10: SSRF (Server-Side Request Forgery)”Server is tricked into sending requests to internal resources.