The OWASP Top 10 Vulnerabilities – Source: securityboulevard.com

What is the OWASP Top 10?

The OWASP Top 10 is a security research project that outlines the ten most critical security risks to web applications. Published by the Open Worldwide Application Security Project (OWASP), it serves as a widely recognized benchmark for web application security. The list is compiled from data gathered by security experts and organizations worldwide, based on the prevalence, detectability, and impact of various vulnerabilities.

Each entry in the OWASP Top 10 includes a description of the vulnerability, examples of attack scenarios, and advice on how to mitigate the risks. 

Here are the OWASP Top 10 vulnerabilities (latest update from 2021):

• A01:2021 – Broken Access Control: Improper enforcement of user permissions allows unauthorized access to resources or actions.
• A02:2021 – Cryptographic Failures: Weak or misapplied cryptographic protections expose sensitive data to compromise.
• A03:2021 – Injection: Unsanitized input is interpreted as code or commands, enabling unauthorized actions.
• A04:2021 – Insecure Design: Flawed application architecture or logic leads to exploitable security weaknesses.
• A05:2021 – Security Misconfiguration: Improperly configured systems or applications create exploitable vulnerabilities.
• A06:2021 – Vulnerable and Outdated Components: Use of unsupported or unpatched software components introduces known security flaws.
• A07:2021 – Identification and Authentication Failures: Weak authentication mechanisms allow attackers to compromise user identities.
• A08:2021 – Software and Data Integrity Failures: Unverified software updates or data integrity checks enable unauthorized code execution.
• A09:2021 – Security Logging and Monitoring Failures: Insufficient logging and monitoring hinder detection and response to security breaches.
• A10:2021 – Server-Side Request Forgery (SSRF): Applications fetch remote resources without validating user-supplied URLs, leading to potential internal system access.

When will the OWASP Top 10 be updated and what updates are expected?

The OWASP Top 10 list is scheduled for its next update soon. Data collection occurred in the second half of 2024. Analysis, drafting, and final release is expected in the first half of 2025.

Categories likely to remain relevant

Categories such as Broken Access Control, Injection, and Cryptographic Failures are expected to remain prominent due to their continued prevalence in web application vulnerabilities.​

Emerging threat categories

The following emerging threats might be included in the new OWASP Top 10 list, either as new categories or as part of existing ones:

• Race conditions and timing attacks: These are gaining attention as applications become more concurrent and distributed .
• Web cache poisoning: With increased reliance on caching mechanisms, this vulnerability is becoming more significant .
• AI and machine learning threats: The integration of AI introduces new attack vectors, including model manipulation and data poisoning .
• Quantum computing implications: The potential for quantum computers to break current encryption methods is prompting considerations for quantum-resistant algorithms 

Note: OWASP has a separate list of Top 10 LLM Vulnerabilities, which covers emerging threats related to large language model (LLM) applications.

The 2021 top 10 web application security risks

Let’s review the top web application security risks in more detail. The examples are adapted from the OWASP Top 10 documentation.

A01:2021-Broken access control

Vulnerability Description

Broken access control arises when restrictions on what authenticated users are allowed to do are not properly enforced. In secure applications, users are only able to perform actions and access resources explicitly granted to them. When access control mechanisms fail, users may gain unauthorized access to data or functions, such as viewing other users’ records, modifying privileged data, or invoking admin-only functionality.

Common attack methods include modifying URLs, API requests, or HTML content to escalate privileges or bypass access checks. These include insecure direct object references (IDOR), missing access validation for HTTP methods like PUT or DELETE, CORS misconfigurations, and tampering with access tokens such as cookies or JWTs. The result is unauthorized disclosure, modification, or destruction of sensitive data or system resources.

Mitigations

Access control should be enforced strictly on the server side using trusted code paths. Avoid relying on client-side checks, as they can be easily bypassed by attackers. Implement a deny-by-default policy for all resources that aren’t explicitly public.

Centralize access control logic and apply it consistently across the application. Use role-based or attribute-based access controls to define what each user or group is allowed to do. Ensure APIs enforce proper access control checks for all HTTP methods and operations.

Log access control failures and monitor for signs of abuse, such as repeated unauthorized requests. For stateful sessions, invalidate identifiers upon logout. For stateless access tokens like JWTs, use short lifetimes and implement proper token revocation strategies.

Example

An application has an endpoint /api/user/{id} intended to return the profile of the authenticated user. However, it lacks proper authorization checks. An attacker can access another user’s data by modifying the id parameter in the URL, such as /api/user/1234, leading to an Insecure Direct Object Reference (IDOR).

A02:2021-Cryptographic failures

Vulnerability Description

Cryptographic failures occur when sensitive data is not properly protected during storage or transmission. This includes using weak or outdated encryption algorithms, improper key management, or transmitting data in plaintext. Common flaws involve using deprecated protocols, failing to encrypt internal traffic, using hardcoded or reused keys, and insecure initialization vectors or random number generators.

Applications that store or transmit passwords, credit card numbers, health records, or personally identifiable information (PII) are especially at risk. These failures often lead to data exposure, regulatory violations, and user trust issues.

Mitigations

Identify and classify all sensitive data and define clear encryption requirements. Avoid storing sensitive information unless absolutely necessary, and remove it as soon as it’s no longer needed.

Encrypt sensitive data in transit using modern protocols like TLS with forward secrecy, and at rest using strong algorithms and key management. Avoid outdated algorithms like MD5, SHA-1, or ECB mode.

Store passwords using adaptive, salted hashing algorithms like bcrypt, Argon2, or PBKDF2. Ensure all cryptographic randomness and keys are securely generated and never reused. Avoid legacy protocols like FTP or SMTP for sensitive transfers and disable caching for confidential responses.

Example

An application stores user passwords using the MD5 hashing algorithm without a salt. An attacker who gains access to the password database can use precomputed hash tables (rainbow tables) to reverse the hashes and retrieve the original passwords.

A03:2021-Injection

Vulnerability Description

Injection flaws occur when untrusted input is interpreted as code or commands by an interpreter. This can allow attackers to manipulate queries, access unauthorized data, or execute arbitrary commands. Common types include SQL, NoSQL, OS command, and LDAP injections.

Vulnerabilities arise when applications concatenate user input into dynamic queries or fail to sanitize input. Injections are especially dangerous due to their ability to impact data integrity, confidentiality, and availability.

Mitigations

Use parameterized queries or prepared statements for all database access. Avoid dynamically constructing queries or commands using user input. Prefer safe APIs and ORM frameworks that handle data binding securely.

Apply positive input validation on the server side. For any unavoidable dynamic input, escape characters based on the context (e.g., SQL, shell). Limit the scope of data returned by queries using LIMIT or similar clauses to reduce impact in case of a breach.

Include automated testing in the CI/CD pipeline using tools like SAST, DAST, and IAST to detect injection flaws early.

Example

A web application constructs SQL queries by concatenating user input:

SELECT * FROM users WHERE username = ‘” + user_input + “‘;

If an attacker inputs ‘ OR ‘1’=’1, the resulting query becomes:

SELECT * FROM users WHERE username = ” OR ‘1’=’1′;

This condition always evaluates to true, potentially returning all user records.

A04:2021-Insecure design

Vulnerability Description

Insecure design reflects a failure to anticipate security risks during the planning and architecture stages of software development. It represents missing or ineffective security controls that cannot be addressed by simply fixing code-level bugs.

Causes include lack of threat modeling, failure to define security requirements, and insufficient segregation of duties or tenant boundaries. Secure implementation cannot compensate for flawed design decisions.

Mitigations

Adopt a secure development lifecycle that includes threat modeling, security architecture reviews, and integration of AppSec experts from the beginning. Define and document functional and non-functional security requirements.

Use proven design patterns and maintain a library of secure components. Integrate security considerations into user stories, and write tests for misuse cases as well as valid flows. Implement defense-in-depth through layered security and resource consumption limits across all tiers of the application.

Example

A password reset feature allows users to reset passwords by answering security questions like “What is your pet’s name?” These answers can often be guessed or found on social media.

A05:2021-Security misconfiguration

Vulnerability Description

Security misconfiguration involves using insecure default settings, incomplete configurations, or improperly set permissions. This risk is common in cloud services, application frameworks, containers, and software components.

Typical issues include verbose error messages, unnecessary services, outdated components, default credentials, and missing security headers. These weaknesses often arise due to inconsistent deployment or lack of hardening practices.

Mitigations

Implement a repeatable hardening process for all environments—development, testing, and production—with automation where possible. Use a minimal installation profile to reduce the attack surface and disable unused features.

Continuously review and update configurations based on vendor security bulletins. Secure cloud storage permissions and segment application architecture to isolate components. Deploy automated tools to verify configurations and apply security directives like HTTP headers.

Example

An application has directory listing enabled on the web server, allowing attackers to view and download sensitive files from the server.

A06:2021-Vulnerable and outdated components

Vulnerability Description

This category covers known-vulnerable libraries, frameworks, and components that have not been patched or maintained. It includes both direct and transitive dependencies across client-side and server-side code.

The risks stem from not tracking versions, failing to apply updates, or ignoring known vulnerabilities in software supply chains. Without visibility and timely patching, systems remain exposed to exploits.

Mitigations

Maintain a full inventory of all components and their dependencies. Use automated tools for software composition analysis to identify known vulnerabilities (e.g., OWASP Dependency Check, retire.js).

Regularly monitor vulnerability databases and subscribe to alerts for components in use. Use only official repositories, preferably with signed packages. Remove unused dependencies and adopt virtual patching when immediate upgrades are not feasible.

Establish a patch management policy and test updated components to ensure compatibility before deployment.

Example

An application uses a JavaScript library with known vulnerabilities. Attackers exploit these vulnerabilities to execute malicious scripts in users’ browsers.

A07:2021-Identification and authentication failures

Vulnerability Description

Authentication weaknesses can allow attackers to impersonate users or gain unauthorized access. These issues include weak password policies, credential stuffing vulnerabilities, and session management flaws such as exposed session IDs or missing logout functionality.

Without proper identity confirmation and secure session handling, attackers may exploit brute-force techniques, session fixation, or exploit credential recovery features.

Mitigations

Enforce multi-factor authentication and strong password policies aligned with NIST 800-63b guidelines. Disable default or well-known credentials in all deployments.

Protect login and registration endpoints from brute force and enumeration attacks. Implement secure session management using server-side mechanisms that invalidate tokens upon logout and avoid exposing session IDs in URLs.

Limit failed login attempts and alert administrators about suspicious activity. Ensure consistent, secure handling of password resets and credential recovery flows.

Example

An application allows unlimited login attempts without any rate limiting. Attackers use automated tools to guess user credentials through brute-force attacks.

A08:2021-Software and data integrity failures

Vulnerability Description

These vulnerabilities arise when applications make assumptions about the integrity of software updates, CI/CD pipelines, and data sources. If data or code is modified without detection, attackers can introduce malicious updates or alter serialized objects.

Examples include downloading code without verifying signatures, using untrusted plugins or CDNs, or allowing deserialization of untrusted data without integrity checks.

Mitigations

Use digital signatures to verify the source and integrity of software and updates. Obtain components only from trusted repositories, or host an internal repository that is vetted and controlled.

Implement software supply chain security tools like CycloneDX or Dependency Track. Secure CI/CD pipelines by restricting access, monitoring changes, and validating builds. Avoid using serialized data in client-facing communications, or apply cryptographic integrity protections like signing.

Example

An application downloads and executes updates over an unsecured connection without verifying the source. Attackers intercept the connection and provide malicious updates.

A09:2021-Security logging and monitoring failures

Vulnerability Description

Without proper logging and monitoring, attacks can go undetected, delaying response and increasing impact. Failures include missing logs for key events, unmonitored logs, or ineffective alerting and incident escalation.

Applications are at risk if they fail to capture and retain logs for events such as failed logins, high-value transactions, or suspicious activities. Poorly formatted logs or local-only storage reduce visibility and forensic capabilities.

Mitigations

Log authentication and access control failures with enough context to identify potential attackers. Store logs securely in a format suitable for analysis and centralized log management systems.

Set up real-time alerts for critical events and ensure alerts trigger an appropriate incident response. Apply tamper-evident controls to high-value logs, and establish a formal incident response plan using frameworks like NIST 800-61.

Example

An application doesn’t log failed login attempts. An attacker repeatedly tries different passwords without detection, eventually gaining unauthorized access.

A10:2021-Server-side request forgery (SSRF) 

Vulnerability Description

SSRF occurs when an application fetches remote resources based on user-supplied URLs without validation. Attackers can abuse this to send requests to internal services, bypass firewalls, or exploit cloud metadata endpoints.

This vulnerability is increasingly impactful due to cloud service adoption and the trend of microservice-based architectures.

Mitigations

Apply defense in depth at both the network and application layers. Isolate remote resource access logic in a separate network with strict ACLs and logging. Enforce a “deny by default” policy on firewall rules.

At the application level, validate all URLs against a strict allow list. Block raw response forwarding and disable redirects. Watch out for DNS rebinding or TOCTOU issues in URL checks. Avoid relying on deny lists or regular expressions to filter URLs.

Use encrypted internal communication and avoid exposing sensitive internal services to user-controlled inputs.

Example

An application fetches URLs provided by users. An attacker inputs a URL pointing to the internal metadata service of a cloud provider, accessing sensitive information.

Other OWASP top 10 projects

In addition to the OWASP Top 10 for web application security, OWASP maintains several other Top 10 lists that address different domains of cybersecurity. These projects aim to highlight the most critical risks in their respective areas and provide guidance for mitigating them:

• OWASP Top 10 for Large Language Model Applications: Focuses to educate developers, designers, architects, managers, and organizations about the potential security risks when deploying and managing LLMs and Generative AI applications. Highlighting their potential impact, ease of exploitation, and prevalence in real-world applications.
• OWASP API Security Top 10: Focuses specifically on security threats related to application programming interfaces (APIs). It addresses risks such as broken object-level authorization, excessive data exposure, and lack of resources and rate limiting, which are particularly relevant as APIs become central to modern application architectures.
• OWASP Mobile Top 10: Targets vulnerabilities specific to mobile applications on platforms like Android and iOS. This list covers issues such as insecure data storage, improper platform usage, and insufficient cryptography.
• OWASP Cloud-Native Application Security Top 10: Focuses on security risks in cloud-native environments, including container orchestration, serverless functions, and microservices architectures. It highlights concerns like insecure container images, exposed sensitive configurations, and inadequate identity and access management.

Enabling security best practices

The OWASP Top 10 is not an exhaustive list of every possible security attack. Instead, it is a guide that identifies the most common mistakes that are more likely to result in an application breach. A determined attacker can find many ways to infiltrate their target. Smart developers and security professionals use the OWASP Top 10 to get the biggest bang for their buck, so to speak, by focusing their efforts on the issues with the broadest and biggest potential impact.

*** This is a Security Bloggers Network syndicated blog from Mend authored by Mend.io Communications. Read the original post at: https://www.mend.io/blog/owasp-top-10-vulnerabilities/