OWASP Top 10 — The Ten Classes of Critical Web Vulnerabilities
The 10 most critical web application security risks (2021 edition) — know them, test for them, mitigate them.
When to use
- Code reviews, design reviews, pentests
- Onboarding engineers to security mindset
Tradeoffs
- List updates every few years; context-specific risks may rank higher for your domain
- Checkbox compliance without threat modeling is security theater
| Rank | Name | One-line mitigation |
|---|---|---|
| A01 | Broken Access Control | Enforce authz server-side on every request; deny by default |
| A02 | Cryptographic Failures | TLS everywhere; use AES-256-GCM; no MD5/SHA1 for secrets |
| A03 | Injection (SQL, LDAP, etc.) | Parameterized queries always; never interpolate user input |
| A04 | Insecure Design | Threat model during design; security requirements upfront |
| A05 | Security Misconfiguration | Disable defaults; audit IAM policies; no debug in prod |
| A06 | Vulnerable Components | Automated dependency scanning (Dependabot, Snyk) |
| A07 | Auth/Session Failures | Short-lived tokens; MFA; brute-force protection |
| A08 | Software/Data Integrity | Verify signatures; pin dependencies; SBOM |
| A09 | Logging/Monitoring Failures | Log security events; alert on anomalies; retain logs |
| A10 | SSRF | Validate/allowlist URLs; block internal IP ranges at network level |
A03 — Injection: vulnerable vs safe
-- Vulnerable (string interpolation):
SELECT * FROM users WHERE id = '1' OR '1'='1'
-- Safe (parameterized query):
SELECT * FROM users WHERE id = $1
-- bind parameter: userId (never concatenated)
Gotcha: A01 Broken Access Control has been #1 since 2021. Most breaches are authorization failures — an attacker accessing data they shouldn't — not exotic cryptographic attacks.