OWASP Top 10 (2021)
The most critical web application security risks, published by the Open Web Application Security Project.
The List
A01 — Broken Access Control
Users can act outside their intended permissions.
Examples:
- Accessing another user's account by modifying the URL
- Viewing/editing someone else's data (IDOR)
- Missing function-level access control
- CORS misconfiguration allowing unauthorized API accessA02 — Cryptographic Failures
Sensitive data exposed due to weak or missing encryption.
Examples:
- Passwords stored in plaintext or with weak hashing (MD5/SHA1)
- Data transmitted over HTTP instead of HTTPS
- Weak cipher suites in use
- Hardcoded secrets in source codeA03 — Injection
Untrusted data sent to an interpreter as a command or query.
Types: SQL, NoSQL, OS command, LDAP, XPath injection
Example: ' OR '1'='1 (SQL injection)
Prevention: Parameterized queries, input validation, WAFA04 — Insecure Design
Missing or ineffective security controls at the design level.
Focus: Threat modeling, secure design patterns
Cannot be fixed by implementation alone
Requires security requirements from the startA05 — Security Misconfiguration
Insecure default configs, incomplete setups, open cloud storage.
Examples:
- Default credentials not changed
- Verbose error messages exposing stack traces
- Unnecessary features/ports/services enabled
- Missing security headersA06 — Vulnerable and Outdated Components
Using components with known vulnerabilities.
Risk: Libraries, frameworks, and dependencies with CVEs
Tools: OWASP Dependency-Check, Snyk, npm audit
Prevention: Keep inventory, patch regularly, monitor CVEsA07 — Identification and Authentication Failures
Weaknesses in authentication and session management.
Examples:
- No brute-force protection
- Weak/default passwords allowed
- Session IDs exposed in URL
- Missing MFA on sensitive accountsA08 — Software and Data Integrity Failures
Code and infrastructure that doesn’t protect against integrity violations.
Examples:
- Auto-updates without integrity checks
- Insecure deserialization
- Using untrusted CDN/plugins without SRI hashes
- CI/CD pipeline with insufficient access controlsA09 — Security Logging and Monitoring Failures
Insufficient logging to detect and respond to breaches.
Missing:
- Login failures and access control failures
- High-value transaction logs
- Alerting for suspicious activity
- Log integrity protectionA10 — Server-Side Request Forgery (SSRF)
Server fetches a URL supplied by the attacker.
Risk: Access internal services, cloud metadata endpoints
Example: http://169.254.169.254/latest/meta-data/ (AWS)
Prevention: Allowlist URLs, block internal IP ranges, disable HTTP redirectsQuick Reference
| ID | Risk | Key Fix |
|---|---|---|
| A01 | Broken Access Control | Enforce least privilege |
| A02 | Cryptographic Failures | Encrypt all sensitive data |
| A03 | Injection | Parameterized queries |
| A04 | Insecure Design | Threat modeling |
| A05 | Security Misconfiguration | Harden defaults |
| A06 | Outdated Components | Patch management |
| A07 | Auth Failures | MFA + strong session mgmt |
| A08 | Integrity Failures | Verify signatures/checksums |
| A09 | Logging Failures | Log and alert everything |
| A10 | SSRF | Allowlist outbound requests |
- Full details: https://owasp.org/Top10/