Web Application Security
OWASP Top 10 Overview SQL Injection & XSS In Depth Authentication Attacks & API Security Server-Side Attacks & Advanced Techniques Secure Development & Bug Hunting
Progress: 0%
Web Application Security

OWASP Top 10 Overview

55 min

OWASP — Open Web Application Security Project

OWASP is a non-profit foundation that works to improve software security. The OWASP Top 10 is the definitive list of the most critical web application security risks, updated regularly based on real-world data from thousands of organizations.

OWASP TOP 10 (2021) ══════════════════════════════════════════════════════ A01 Broken Access Control ← #1 risk; 94% of apps tested A02 Cryptographic Failures ← Formerly "Sensitive Data Exposure" A03 Injection ← SQL, NoSQL, OS, LDAP, XSS A04 Insecure Design ← NEW: Missing threat modeling A05 Security Misconfiguration← Misconfig in cloud/frameworks A06 Vulnerable Components ← Log4Shell, Struts, outdated libs A07 Identification & Auth ← Session mgmt, weak passwords A08 Data Integrity Failures ← NEW: Deserialization, CI/CD A09 Security Logging Failures← Insufficient monitoring/logging A10 SSRF ← NEW: Server-Side Request Forgery ══════════════════════════════════════════════════════

A01: Broken Access Control

Users can act outside their intended permissions. Examples include:

  • Accessing other users' data by modifying the URL: /api/user/1234/api/user/1235 (IDOR)
  • Accessing admin functions as a regular user
  • JWT token manipulation to elevate privileges
  • CORS misconfiguration allowing cross-origin data access

A02: Cryptographic Failures

  • Transmitting sensitive data over HTTP (unencrypted)
  • Using weak/outdated algorithms: MD5, SHA-1, DES, RC4
  • Hardcoded encryption keys in source code
  • Improper certificate validation

A04: Insecure Design

Security cannot be bolted on after the fact. Secure design requires threat modeling during the design phase using frameworks like STRIDE:

STRIDE THREAT MODEL ────────────────────────────────────────────── S - Spoofing Identity → Authentication controls T - Tampering with Data → Integrity controls R - Repudiation → Audit logging, digital signatures I - Information Disclosure → Confidentiality controls D - Denial of Service → Availability controls E - Elevation of Privilege → Authorization controls
Login to Track Progress Next