OWASP Top 10

It is a widely recognized framework that outlines the most critical security risks facing web applications in the present. Developed by the Open Web Application Security Project (OWASP), this list serves as a guide for developers, security professionals, and organizations to understand and prioritize their security efforts.

Each entry in the Top 10 highlights a specific type of vulnerability, detailing how these risks can be exploited by attackers and the potential impact on users and organizations. Below, we can compare the latest version of this framework (2021) with the previous one:

https://owasp.org/Top10/

Here we find an overview of each of these vulnerabilities

  • A01:2021 – Broken Access Control: Flaws in authorization let attackers act as other users or admins, access or modify data, or invoke restricted functions through parameter tampering, IDOR, or forced browsing.

  • A02:2021 – Cryptographic Failures: Weak, missing, or misused encryption exposes sensitive data in transit or at rest; attackers can intercept, read, or alter data due to bad TLS, weak ciphers, or poor key management.

  • A03:2021 – Injection: Untrusted input is treated as code or queries (SQL/NoSQL/OS/LDAP), enabling data exfiltration, corruption, or remote code execution.

  • A04:2021 – Insecure Design: Architectural and design flaws (e.g., missing threat modeling, lack of rate limits, insecure workflows) allow business logic abuse and other systemic attacks.

  • A05:2021 – Security Misconfiguration: Default settings, verbose errors, open cloud storage, overly permissive CORS, or unnecessary services give attackers easy paths to enumerate, pivot, or escalate.

  • A06:2021 – Vulnerable and Outdated Components: Using libraries, frameworks, or platforms with known CVEs or end-of-life versions lets attackers exploit published vulnerabilities.

  • A07:2021 – Identification and Authentication Failures: Weak auth and session handling (e.g., poor password policies, missing MFA, session fixation) enable credential stuffing and account takeover.

  • A08:2021 – Software and Data Integrity Failures: Unsigned or unverified code/updates and insecure CI/CD allow supply chain compromise; unsafe deserialization leads to tampering or code execution.

  • A09:2021 – Security Logging and Monitoring Failures: Insufficient logs, alerts, or incident response hinder detection and containment, letting attackers persist and cover tracks.

  • A10:2021 – Server-Side Request Forgery (SSRF): Applications that fetch URLs from user input can be tricked into making internal or privileged requests, exposing internal services or cloud metadata.

Also, for more detailed information about the list and the changes made since the last version, please refer to the official OWASP Top 10 page.

PreviousWebSocketsNextHTTP Security Considerations (WIP)

Last updated