OWASP Top 10: critical web vulnerabilities

  • Home
  • Blog
  • OWASP Top 10: critical web vulnerabilities

Contents

OWASP Top 10: critical web application vulnerabilities

The OWASP Top 10 is a standard awareness document published by the Open Web Application Security Project (OWASP) that identifies the ten most critical security risks for web applications. Updated every three to four years based on real-world incident data and community input, the current edition is OWASP Top 10 2021. It is widely referenced by PCI-DSS, ISO 27001, and sector-specific security frameworks as the minimum baseline for secure application development.

What is the OWASP Top 10?

OWASP is a nonprofit foundation dedicated to improving software security through free, open resources. The Top 10 project is its most widely used output, providing development teams, security engineers, and auditors with a common language for the most critical application security risks. Implementing controls that address the OWASP Top 10 is a prerequisite for any mature application security program. The 2021 list reorganized previous categories and introduced three new ones: Insecure Design, Software and Data Integrity Failures, and Server-Side Request Forgery (SSRF).

The 10 critical vulnerabilities (OWASP 2021)

Each category below represents a class of security weaknesses observed across thousands of real applications. For each one, the description covers what it is, how it manifests, and the primary technical controls to mitigate it.

A01 — Broken Access Control

Broken Access Control moved to the top position in 2021, reflecting how frequently authorization flaws lead to breaches. It occurs when users can access resources or perform actions beyond their intended permissions — reading another user's data, modifying records they don't own, or executing privileged operations. Mitigation requires enforcing the principle of least privilege, validating access rights server-side on every request, and never relying on client-side controls for authorization decisions.

A02 — Cryptographic Failures

Cryptographic failures cover the misuse or absence of encryption to protect sensitive data in transit and at rest. Common examples include transmitting data over HTTP instead of HTTPS, storing passwords in plain text, and using outdated algorithms such as MD5 or SHA-1. Mitigation requires enforcing TLS 1.2 or higher, adopting modern encryption standards (AES-256, RSA-2048), and using secure password hashing functions like bcrypt or Argon2.

A03 — Injection

Injection flaws — SQL, NoSQL, LDAP, OS command, and others — occur when untrusted data is sent to an interpreter as part of a command or query. SQL injection remains the most critical variant, allowing attackers to read, modify, or delete database content. Mitigation requires using parameterized queries (prepared statements) for all database interactions, validating and sanitizing all user input, and applying least privilege to database accounts.

A04 — Insecure Design

Insecure Design, new in the 2021 list, captures security weaknesses rooted in architectural and design decisions rather than implementation bugs. A system can have technically correct code and still be fundamentally insecure if the design lacks the right threat model. Mitigation involves performing threat modeling during the design phase, adopting established secure design patterns, and conducting architecture reviews with security teams before the build phase begins.

A05 — Security Misconfiguration

Security misconfiguration is one of the most prevalent issues across cloud environments, servers, and applications. Examples include unnecessary open ports, excessive permissions, default credentials left active, and error messages that disclose internal stack traces. Mitigation requires automating configuration validation against security benchmarks (such as CIS Benchmarks), applying hardening standards consistently across environments, and disabling all unused features and services.

A06 — Vulnerable and Outdated Components

Modern applications depend on dozens of third-party libraries, frameworks, and open-source packages that may contain known vulnerabilities. Using an outdated version of a popular library exposes the application to public exploits. Mitigation requires maintaining a complete software bill of materials (SBOM), integrating software composition analysis (SCA) into the CI/CD pipeline, and applying patches promptly after their release. A continuous vulnerability detection process ensures outdated components are identified before attackers can exploit them.

A07 — Identification and Authentication Failures

Authentication failures allow attackers to compromise passwords, session tokens, or API credentials. Common weaknesses include brute-force susceptibility, sessions that never expire, and insecure credential storage. Mitigation includes enforcing multi-factor authentication (MFA), rate-limiting login attempts, using short-lived session tokens with secure attributes, and storing passwords exclusively with secure hashing algorithms.

A08 — Software and Data Integrity Failures

This category, new in 2021, covers insecure deserialization and software supply chain attacks. If an attacker compromises a build pipeline or a public package registry, malicious code can be automatically distributed to all users of the affected library. Mitigation includes verifying the integrity of all dependencies using cryptographic hashes, signing build artifacts, using private package registries where possible, and implementing CI/CD pipeline security controls.

A09 — Security Logging and Monitoring Failures

Without adequate logging and real-time alerting, attackers can operate undetected for weeks or months. This category covers the absence of security event logs, logs that are not monitored, and missing alerts for anomalous patterns. Mitigation requires implementing centralized log management, retaining logs for a sufficient period to support forensic analysis, and configuring automated alerts for suspicious events such as repeated failed logins or access to sensitive endpoints.

A10 — Server-Side Request Forgery (SSRF)

SSRF allows an attacker to induce the server to make HTTP requests to arbitrary targets, including internal services that should not be reachable from the outside. In cloud environments this is especially critical because instance metadata endpoints are often accessible via internal HTTP. Mitigation includes validating and allowlisting the URLs the application is permitted to request, blocking access to internal IP ranges from HTTP request functions, and disabling URL redirect following in HTTP client libraries.

How to protect your application against the OWASP Top 10

Effective protection against the OWASP Top 10 requires layering technical controls with mature development processes. On the technical side, the essential controls are: server-side input validation for every request, least-privilege enforcement across access and database permissions, continuous dependency updates with automated SCA scanning, and encryption in transit and at rest for all sensitive data.

On the process side, organizations should embed security into the design phase through threat modeling, run periodic assessments combining automated scanning with expert manual review, and maintain incident response procedures for when issues are discovered in production.

To verify that your applications are free from OWASP Top 10 vulnerabilities, a professional penetration test provides the technical evidence your development team, management, and auditors need. Pair that with a systematic vulnerability remediation process to ensure findings are tracked and resolved within defined SLAs.

Published on

Mario Robles

CEO & Founder

Ethical hacker with more than 20 years of experience, creator of cybersecurity tools, former leader of OWASP Costa Rica and active member of the Cybersec Cluster and the cybersecurity chapter of CAMTIC.

Need help?

Our team of specialists can help you implement cybersecurity best practices across your organization.

Free Consultation

Do you need to protect your company?

Free Consultation

You might also be interested in

What is DevSecOps and How to Implement It in Your Team

DevSecOps integrates automated security into your CI/CD pipelines so every code change is checked continuously, shifting security left across dev and ops.

Read: What is DevSecOps and How to Implemen...

CCPA and CPRA: California privacy guide 2025

CCPA and CPRA give California consumers rights over personal data. CPPA rules from 2026 add cybersecurity audits and automated decision limits.

Read: CCPA and CPRA: California privacy gui...

GLBA Safeguards Rule: financial cybersecurity

GLBA Safeguards Rule (2023): US financial firms need a security program with MFA, encryption, vendor oversight and breach notification in 30 days.

Read: GLBA Safeguards Rule: financial cyber...
This website is using cookies for improving your experience, you can find more information in our privacy policy.