OWASP Top 10
The OWASP Top 10 is a regularly updated list of the ten most critical security risks for web applications, published by the Open Web Application Security Project Foundation.
The OWASP Top 10 is the most widely recognized reference document for web application security. The Open Web Application Security Project (OWASP) publishes an updated list of the most critical vulnerability categories every 3–4 years—based on real-world data from thousands of web application penetration tests.
Every reputable compliance requirement addressing web security—PCI DSS, BSI IT-Grundschutz APP.3.1, ISO 27001 A.8.28—references the OWASP Top 10.
OWASP Top 10 (2021, still current)
| # | Category | Typical Attack Vector |
|---|---|---|
| A01 | Broken Access Control | User accesses other users' resources (IDOR) |
| A02 | Cryptographic Failures | Weak password hashes (SHA1 without salt), no TLS |
| A03 | Injection | SQL injection, NoSQL injection, LDAP injection, OS command injection |
| A04 | Insecure Design | Lack of security requirements already in the system design |
| A05 | Security Misconfiguration | Default passwords, open cloud storage, unpatched systems |
| A06 | Vulnerable Components | Log4Shell (log4j), known CVEs in libraries and frameworks |
| A07 | Authentication Failures | Brute-force attacks, weak passwords, lack of MFA |
| A08 | Software/Data Integrity | Insecure CI/CD pipelines, auto-updates without signature verification |
| A09 | Security Logging Failures | Lack of logging for security events |
| A10 | SSRF | Server-Side Request Forgery – Server sends requests to internal targets |
The Most Common Vulnerabilities in Detail
A01: Broken Access Control
The most common vulnerability in modern web applications. Users can access resources or functions for which they have no authorization (Insecure Direct Object Reference - IDOR).
Example: Calling /api/documents/12345 instead of /api/documents/12346 returns another user’s document because no ownership check is performed.
Protection: Every API request must verify whether the logged-in user is authorized to access the requested resource—not just whether they are logged in.
A03: Injection
User input is embedded into interpreter commands without sufficient validation.
Classic SQL Injection:
URL: /user?id=1' OR '1'='1
→ Returns all users—no password requiredProtection: Prepared statements (parameterized queries), no string concatenation for SQL queries.
A07: Authentication Failures
Missing or weak authentication—brute force, weak passwords, missing rate limits, no MFA.
Protection: MFA for all accounts, account lockout after failed attempts, strong password policies.
Practical Implications
- Penetration Testing: Every professional web application penetration test covers all OWASP Top 10 categories
- SDLC: Development teams should integrate the OWASP Top 10 as a minimum requirement into the Secure Development Lifecycle
- WAF: Web Application Firewalls (WAF) provide basic protection against known OWASP Top 10 attacks—but they do not replace secure development
- Training: OWASP offers free learning resources (WebGoat, Juice Shop) for developer training
Supplementary OWASP Lists:
- OWASP API Security Top 10 (for REST/GraphQL APIs)
- OWASP Mobile Top 10 (for mobile applications)
Detailed guide: OWASP Top 10 2025 with code examples
