1. Home
  2. /OWASP Top Ten
Feeling StupidKeyboard Layout

OWASP Top Ten

Understanding and mitigating the most critical web application security risks

What is the OWASP Top Ten?

The OWASP Top Ten is a standard awareness document representing the most critical security risks to web applications. It's published by the Open Worldwide Application Security Project (OWASP), a non-profit foundation dedicated to improving software security.

Key Benefits:
  • Common Language: Shared terminology for security risks
  • Risk Prioritization: Focus on the most impactful vulnerabilities
  • Industry Standard: Widely adopted across organizations
  • Data-Driven: Based on real-world vulnerability data
Used By:
  • Security teams for threat modeling
  • Developers for secure coding practices
  • Auditors for compliance assessments
  • Management for risk decisions

The 2021 OWASP Top Ten Risks

RankRiskDescription
A01Broken Access ControlFailures in enforcing restrictions on what authenticated users can do
A02Cryptographic FailuresFailures related to cryptography which lead to sensitive data exposure
A03InjectionUser-supplied data is not validated, filtered, or sanitized by the application
A04Insecure DesignMissing or ineffective control design
A05Security MisconfigurationMissing appropriate security hardening across the application stack
A06Vulnerable ComponentsUsing components with known vulnerabilities
A07Authentication FailuresFailures in authentication and session management
A08Software & Data IntegrityFailures in software updates, critical data, and CI/CD pipelines without integrity verification
A09Logging & Monitoring FailuresInsufficient logging, detection, monitoring and active response
A10Server-Side Request ForgeryWeb application fetches remote resources without validating user-supplied URLs

A01: Broken Access Control

Common Vulnerabilities:
  • Violation of the principle of least privilege
  • Bypassing access control checks by modifying URLs
  • Insecure direct object references (IDOR)
  • Missing access control for POST, PUT and DELETE
  • Elevation of privilege
Prevention:
  • Deny by default except for public resources
  • Implement access control mechanisms once and reuse
  • Model access controls should enforce record ownership
  • Disable web server directory listing
  • Log access control failures

A02: Cryptographic Failures

Common Issues:
  • Data transmitted in clear text
  • Old or weak cryptographic algorithms
  • Default crypto keys in use
  • Crypto keys generated or reused improperly
  • Lack of proper key rotation
Prevention:
  • Classify data and apply controls per classification
  • Don't store sensitive data unnecessarily
  • Encrypt all sensitive data at rest
  • Use up-to-date and strong algorithms
  • Enforce encryption using directives like HSTS

A03: Injection

Vulnerability Types:
  • SQL Injection: Malicious SQL queries
  • NoSQL Injection: NoSQL database attacks
  • OS Command: Operating system commands
  • LDAP Injection: Directory service attacks
  • XPath/XQuery: XML query manipulation
Prevention Methods:
  • Use safe APIs with parameterized interfaces
  • Positive server-side input validation
  • Escape special characters
  • Use SQL controls like LIMIT to prevent mass disclosure
  • Perform code reviews and automated testing

A04: Insecure Design

Design Flaws:
  • Missing threat modeling
  • Lack of security reference architecture
  • Insufficient security in user stories
  • Missing rate limiting for resource consumption
  • Inadequate tenant isolation
Secure Design Principles:
  • Establish secure development lifecycle
  • Use threat modeling for critical flows
  • Integrate security language into user stories
  • Implement tiered security controls
  • Perform design reviews with security experts

Implementing OWASP in Your SDLC

Requirements
  • Define security requirements
  • Identify sensitive data
  • Establish compliance needs
  • Create abuse cases
Design
  • Threat modeling
  • Security architecture review
  • Select security controls
  • Design security tests
Implementation
  • Secure coding standards
  • Code reviews
  • Static analysis (SAST)
  • Dependency scanning
Testing & Deployment
  • Dynamic testing (DAST)
  • Penetration testing
  • Security monitoring
  • Incident response plan

Security Testing Tools & Techniques

Automated Tools:

Tool TypePurposeExamples
SASTStatic code analysisSonarQube, Checkmarx
DASTDynamic testingOWASP ZAP, Burp Suite
SCADependency scanningSnyk, npm audit
IASTInteractive testingContrast Security

Manual Techniques:

  • Code Review: Manual inspection for logic flaws
  • Threat Modeling: STRIDE, PASTA methodologies
  • Penetration Testing: Simulated attacks
  • Security Architecture Review: Design evaluation
Best Practice: Combine automated and manual techniques for comprehensive coverage. No single tool can find all vulnerabilities.

Security Implementation Checklist

Authentication & Access
Data Protection
Monitoring & Response

Secure Coding Examples

SQL Injection Prevention (Node.js)

❌ Vulnerable Code:
// Never do this!
const query = "SELECT * FROM users WHERE id = " + userId;
db.query(query, (err, result) => {
  // Process result
});
✅ Secure Code:
// Use parameterized queries
const query = "SELECT * FROM users WHERE id = ?";
db.query(query, [userId], (err, result) => {
  // Process result
});

Access Control Implementation

// Middleware for role-based access control
function authorize(roles = []) {
  return (req, res, next) => {
    if (!req.user) {
      return res.status(401).json({ message: 'Unauthorized' });
    }
    
    if (roles.length && !roles.includes(req.user.role)) {
      return res.status(403).json({ message: 'Forbidden' });
    }
    
    next();
  };
}

// Usage
app.get('/api/admin', authorize(['admin']), (req, res) => {
  res.json({ message: 'Admin access granted' });
});

Key Takeaways

Remember:
  • ✅ OWASP Top Ten represents the most critical risks
  • ✅ Security must be built into the SDLC
  • ✅ Use defense in depth - multiple security layers
  • ✅ Keep dependencies and frameworks updated
  • ✅ Regular testing and monitoring are essential
Actions to Take:
  • 📋 Conduct threat modeling for new features
  • 🔍 Implement automated security scanning
  • 📚 Train developers on secure coding
  • 🛡️ Establish security champions program
  • 📊 Track and measure security metrics

Related Topics

CVSS & NVD
CIA Triad
Official OWASP Site