The OWASP Top 10

The OWASP Top 10 is the most widely recognised document for web application security awareness. Published by the Open Web Application Security Project (OWASP), it represents a broad consensus about the most critical security risks to web applications.

---

What is OWASP?

OWASP is a nonprofit foundation dedicated to improving the security of software. It provides:

• Free, open resources — documentation, tools, and training
• Community-driven projects — maintained by volunteers worldwide
• Vendor-neutral guidance — not tied to any specific product or technology

The OWASP Top 10 is updated periodically based on data collected from hundreds of organisations and analysis of real-world vulnerabilities.

---

The OWASP Top 10 (2021 Edition)

Rank	Category	Description
A01	Broken Access Control	Users act outside their intended permissions
A02	Cryptographic Failures	Failures related to cryptography that expose sensitive data
A03	Injection	Hostile data sent to an interpreter as part of a command or query
A04	Insecure Design	Missing or ineffective security controls in the design phase
A05	Security Misconfiguration	Insecure default configurations, incomplete setups, open cloud storage
A06	Vulnerable and Outdated Components	Using components with known vulnerabilities
A07	Identification and Authentication Failures	Weaknesses in authentication and session management
A08	Software and Data Integrity Failures	Code and infrastructure that does not protect against integrity violations
A09	Security Logging and Monitoring Failures	Insufficient logging, detection, and response
A10	Server-Side Request Forgery (SSRF)	Web application fetches a remote resource without validating the URL

---

A01: Broken Access Control

Broken Access Control moved from fifth place to the number one spot in 2021. It occurs when users can act outside their intended permissions:

• Accessing other users' accounts by modifying a URL parameter
• Elevating privileges from a regular user to an administrator
• Viewing or modifying records that belong to another user (IDOR — Insecure Direct Object Reference)

Example — Insecure Direct Object Reference:

# Attacker changes the account ID in the URL
GET /api/accounts/12345/transactions
# to
GET /api/accounts/67890/transactions

If the server does not verify that the authenticated user owns account 67890, the attacker can view someone else's transactions.

Prevention:

• Deny access by default — require explicit grants
• Implement server-side access control checks on every request
• Use indirect object references (map user-facing IDs to internal IDs)
• Log and alert on access control failures

---

A02: Cryptographic Failures

Previously called "Sensitive Data Exposure," this category focuses on failures related to cryptography:

• Transmitting data in cleartext (HTTP instead of HTTPS)
• Using weak or deprecated algorithms (MD5, SHA-1, DES)
• Hard-coding encryption keys in source code
• Not encrypting sensitive data at rest

Prevention:

• Use TLS 1.2+ for all data in transit
• Encrypt sensitive data at rest using AES-256 or equivalent
• Use strong, current algorithms and key management practices
• Do not store sensitive data unnecessarily

---

A03: Injection

Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. SQL injection remains the most common, but NoSQL, OS command, and LDAP injection are also prevalent.

Example — SQL Injection:

-- User input: ' OR '1'='1' --
SELECT * FROM users WHERE username = '' OR '1'='1' --' AND password = 'anything'
-- This returns all users because '1'='1' is always true

Prevention:

• Use parameterised queries (prepared statements) for all database interactions
• Use an ORM that automatically parameterises queries
• Validate and sanitise all user inputs
• Apply least privilege to database accounts

---

A04: Insecure Design

This is a new category in 2021 that focuses on risks related to design and architectural flaws. Unlike implementation bugs, insecure design cannot be fixed by a perfect implementation — the design itself is flawed.

Examples:

• A password recovery flow that relies on knowledge-based questions easily found on social media
• An e-commerce system that does not apply rate limiting to coupon redemption
• A cinema booking system with no limit on the number of seats a single user can reserve

Prevention: