Trusted answers to developer questions

What are OWASP's top 10 vulnerabilities?

Anjana Shankar

Free System Design Interview Course

Get Educative's definitive System Design Interview Handbook for free.


Open Web Application Security Project (OWASP) is a nonprofit organization that is focused on software security. OWASP Top 10 is a broad consensus about the ten most critical security risks faced by web applications. It gives a common language for security professionals and is the first step for developers on their journey to securing their web applications. Globally, OWASP Top 10 is recognized by developers as the first step toward more secure coding.

The OWASP Top 10 web application security risks are as follows:

1. Broken access control

Access control implies policy enforcement so that users can only access what they are intended to. Broken access control leads to information disclosure, modification, or destruction of data that a user was not authorized to act on.

2. Cryptographic failures

The non-ability to encrypt data in transit or data at rest can lead to several attacks. You may have noticed the lock icon on your browsers when you go to a website. The lock icon indicates that the site is utilizing HTTPS.

3. Injection

Injection flaws, such as SQL and LDAP injection, occur when a command or query is executed with an unintended parameter. For example, see the code below.

SELECT * FROM employee WHERE name=abc OR 1==1;

1==1 is the most common way for a SQL injection. This tricks the SQL query to return all rows by using the WHERE clause.

4. Insecure design

Insecure design focuses on design flaws. A secure design should follow secure design and architecture guidelines. Performing security threat modeling is one of them.

5. Security misconfiguration

Running software with default configurations, usernames, and passwords, unnecessary ports exposes applications to the attacker.

6. Vulnerable and outdated components

Software development frequently reuses components. It is imperative to ensure that the vulnerabilities in these dependencies are actively patched.

7. Identification and authentication failures

Incorrect implementation of the authentication and authorization application allows attackers to get access to passwords, sessions, and privilege escalations.

8. Software and data integrity failures

Software and data integrity failures relate to code and infrastructure that do not protect against integrity violations.

9. Security logging and monitoring failures

Insufficient logging and monitoring to identify an attack gives attackers more time to penetrate the system.

10. Server-side request forgery

Server-Side Request Forgery or SSRF occurs whenever an application fetches a remote resource without validation.


Trusted Answers to Developer Questions

Related Tags

Keep Exploring
Related Courses