OWASP Top 10 Explained: The Most Critical Web Security Risks

A01 — Broken Access Control

The #1 risk. Access control enforces that users can only do what they're permitted to. Failures allow attackers to access other users' accounts, view sensitive data, or perform administrative actions.

Example: Changing the URL from /user/123/profile to /user/124/profile and seeing another user's data.

Fix: Enforce access control server-side on every request. Deny by default. Use UUIDs instead of sequential IDs.

A02 — Cryptographic Failures

Formerly "Sensitive Data Exposure". Weak cryptography or transmitting sensitive data without encryption allows attackers to steal credentials, payment data, or health records.

Example: Storing passwords with MD5 hashing, or serving a login page over HTTP.

Fix: Use TLS everywhere. Hash passwords with bcrypt. Encrypt sensitive data at rest with AES-256.

A03 — Injection

SQL, NoSQL, OS, and LDAP injection occur when user-supplied data is sent to an interpreter as part of a command. A successful injection can dump your entire database or execute commands on your server.

Example: A search box that is passed directly to a SQL query: SELECT * FROM users WHERE name = '${input}'

Fix: Use parameterised queries. Validate and sanitise all input. Use an ORM with query binding.

A04 — Insecure Design

Security flaws baked into the architecture itself. No amount of correct implementation fixes a fundamentally insecure design. Common in applications that didn't threat-model during development.

Fix: Build security into your design phase. Conduct threat modelling. Use established secure design patterns.

A05 — Security Misconfiguration

The most commonly encountered finding in automated scans. Includes missing security headers, verbose error messages, default credentials, and overly permissive cloud storage.

Example: An S3 bucket set to public. A server returning Server: Apache/2.4.18 (Ubuntu).

Fix: Automate configuration hardening. Suppress server banners. Set all security headers. Disable directory listing.

A06 — Vulnerable and Outdated Components

Using libraries, frameworks, or other software with known vulnerabilities. "Log4Shell" (CVE-2021-44228) affected millions of servers running the Log4j library.

Fix: Keep dependencies updated. Use a software composition analysis (SCA) tool. Subscribe to CVE feeds for your stack.

A07 — Identification and Authentication Failures

Broken authentication allows attackers to compromise passwords, keys, or session tokens to assume other users' identities.

Example: Predictable session IDs. Allowing weak passwords. Not invalidating sessions on logout.

Fix: Implement MFA. Use strong session management. Rate-limit and monitor login attempts.

A08 — Software and Data Integrity Failures

Code and infrastructure that doesn't protect against integrity violations. Insecure CI/CD pipelines, auto-updates without integrity verification, and insecure deserialisation.

Fix: Use Subresource Integrity (SRI) for CDN scripts. Sign and verify build artifacts. Protect CI/CD pipeline credentials.

A09 — Security Logging and Monitoring Failures

Insufficient logging means breaches go undetected. The average time to detect a breach is 207 days — often because there's no logging to alert on suspicious activity.

Fix: Log all authentication events, access control failures, and input validation failures. Set up alerting. Use a SIEM.

A10 — Server-Side Request Forgery (SSRF)

SSRF flaws allow attackers to induce the server to make HTTP requests to unintended locations — including internal services, cloud metadata endpoints, or other systems behind the firewall.

Example: An image upload that fetches from a URL — manipulated to http://169.254.169.254/latest/meta-data/ to steal AWS credentials.

Fix: Validate and sanitise all URLs. Use an allowlist of permitted destinations. Disable HTTP redirections.