OWASP Top 10
OWASP Top 10 Risks and How to
Prevent Them
What is the OWASP Top 10?
The Open Web Application Security Project (OWASP) is
a non-profit organization that strives to improve web
application security by offering research and free
resources. The organization provides easily accessible
materials on its website to make it possible for anyone
to improve the security of their web applications.
The organization offers a wealth of information
through documentation, videos, forums, and tools. The
OWASP Top 10 is a popular project that provides
information about web application security risks. It
serves development teams worldwide as a standard for
securing web applications.
The organization published the first version of the list in
2003 and updated it in 2004, 2007, 2010, 2013, and
2017. The latest update was published in 2021.
In this article:
How Should You Use the OWASP Top 10 List?
OWASP Top 10 2021
o A01: Broken Access Control
o A02: Cryptographic Failures
o A03: Injection
o A04: Insecure Design
o A05: Security Misconfiguration
o A06: Vulnerable and Outdated Components
o A07: Identification and Authentication Failures
o A08: Software and Data Integrity Failures
o A09: Security Logging and Monitoring Failures
o A10: Server-Side Request Forgery
Other OWASP Top 10 Lists
Are These the Only Vulnerabilities You Need to
Watch Out For?
Find Out if Your App is Exposed to OWASP Top 10
with Bright Security
How Should You Use the OWASP Top 10
List?
The OWASP Top 10 list was introduced in 2003 and is
updated every few years in line with the evolution of
application security threats and practices. The
importance of this list lies in the highly practical
information it provides, in the sharp focus it offers
developers and organizations of all sizes (by prioritizing
the most important threats), and as a standard for
anyone developing and delivering web applications.
Many security auditors treat the OWASP Top 10 as a
basic threshold of application security. Failure to secure
applications against one or more of the Top 10
indicates that the organization does not have basic
security measures and may not meet other compliance
requirements.
On the other hand, by incorporating the Top 10 risks
into the software development lifecycle (SDLC), an
organization demonstrates its commitment to security
best practices. Securing applications against the
OWASP Top 10 is not enough to comprehensively
secure applications, because there are many other
threats, but it is a big step towards sound application
security.
Here are a few important points that can help you
make use of the OWASP list and research:
Address the most serious threats—the OWASP
Top 10 focuses on the most severe threats, not
specific vulnerabilities. Threats are always a more
reliable measure of risk because they help you
consider possible attack vectors, which can strike
in many different places in your application.
Keep up with changes—OWASP updates the Top
10 list every three years, making recommendations
that reflect important, long-term changes in the
application security field and do not reflect short-
term volatility.
Get detailed technical information—behind each
of the OWASP Top 10 items is a wealth of technical
information that can help you better understand
the risk, learn about development antipatterns
that can lead to vulnerabilities, and remediate
them. OWASP also provides open source tools you
can use to test software packages and identify
security issues.
OWASP Top 10 2021
A01: Broken Access Control
Ideally, web applications should make each piece of
information available only to certain users according to
their privileges. Broken access control can lead to
critical security risks, allowing users to access the
information they are not truly authorized to access.
How to prevent broken access control:
Set up and implement a secure development
lifecycle that includes designing and evaluating
security and privacy controls.
Set up and implement a library of secure design
patterns.
Employ threat modeling for critical access control,
authentication, key flows, and business logic.
Integrate security controls into user stories.
Add plausibility checks to each application tier,
from front-end to back-end.
Depending on the required exposure and
protection, segregate tier layers on the system and
network layers.
A02: Cryptographic Failures
Cryptographic failures occur when cryptographic
methods do not protect data appropriately. Common
cryptographic control issues include poorly
implemented cryptographic protocols and obsolete
cryptographic ciphers.
In the past, this category of web security risks was
called ‘sensitive data exposure’. OWASP changed the
category’s name to emphasize the seriousness of
cryptographic failures and the dangerous role they play
in exposing sensitive information.
How to prevent cryptographic failures:
Turn off autocomplete on any form that collects
data and disable caching on these forms.
Minimize the data surface area.
Encrypt your data in transit as well as at rest.
Implement only the most updated encryption
techniques.
Set up and enforce strong adaptive and salted
hashing functions for passwords.
A03: Injection
Injection vulnerabilities allow threat actors to insert
malicious data into an application. The injection may
include malicious commands that redirect stored data
to a malicious website or force changes to the
application.
The list mentions SQLi injection as a common attack
vector. You can remediate this risk by explicitly
authenticating all untrusted data, particularly data
submitted by your end-users. In 2021, the OWASP
updated this category to include cross-site scripting
(XSS).
How to prevent injection attacks:
Segregate commands from data—this technique
can help prevent attacks that replace data with
unauthorized command execution.
Code SQL queries with parameters—instead of
structuring a command only from user input
content, use parameterized queries (also called
prepared statements).
Eliminate the interpreter—you can use a safe API
to eliminate the interpreter.
Implement positive server-side validation—use
this technique with an intrusion detection system
to identify suspicious client-side behaviors.
A04: Insecure Design
Design flaws can introduce critical threats to your web
application. They are caused by an insecure design that
does not include threat modeling, reference
architectures, or secure design principles and patterns.
Failure to assess the business risks inherent in the
system being developed can also cause design flaws.
How to avoid design flaws:
A secure development lifecycle—set up and
enforce a lifecycle that includes security in the
design of the software and all development
phases.
A library of secure design patterns—set up a
library and use it consistently to standardize
security.
Threat modeling—implement threat modeling for
critical access control, authentication, key flows,
and business logic.
User stories—use security controls for all user
stories.
Plausibility checks—include these checks for each
application tier, from front-end to back-end.
Segregate tier layers—implement segregation for
the system and network layers according to your
project’s exposure and protection needs.
A05: Security Misconfiguration
Security misconfigurations occur when issues in the
application’s configurations allow unauthorized access,
usage, modification, and data exfiltration. For example,
applications that incorrectly filter incoming packets
may allow unauthorized use of a default user ID or
password. In 2021, OWASP added EML external entities
(XXE) vulnerabilities to this category.
How to avoid security misconfigurations:
Implement a repeatable hardening process—this
process can help you quickly deploy an
appropriately locked down environment. Ideally,
you should configure all environments identically—
including development, testing, and production—
but with different credentials.
Recommended by LinkedIn
Use a minimal design—do not add unnecessary
components, features, samples, or documentation.
If you find any redundancies, remove these unused
features and frameworks.
Set up a patch management process—this process
should include configuration reviews followed by
updates and fixes.
Configure a segmented application architecture—
use this to isolate components or tenants to
ensure threats are contained to the location of
initial intrusion. You can use various techniques,
including containerization, segmentation, and
cloud security groups.
Automated your processes—automation helps
drive efficiencies and reduce the scope of human
error. You can use automation to verify the
effectiveness of your configurations and settings
across all environments.
A06: Vulnerable and Outdated
Components
This category refers to unsupported, out-of-date, and
vulnerable software components, including direct and
indirect dependencies. Using these components
without regular scanning and testing mechanisms can
introduce critical risks. In the past, this category was
called ‘Using Components with Known Vulnerabilities’.
It was updated to include outdated components.
How to avoid using vulnerable and
outdated components:
Remove redundancies—including unused
dependencies and any unnecessary features, files,
documentation, and components.
Check your versions—you must continuously
inventory all used versions of server-side and
client-side components as well as their
dependencies. You can use tools like OWASP
Dependency Check and retire.js.
Scan for vulnerabilities—you should continuously
monitor various sources, such as the National
Vulnerability Database (NVD), for known
vulnerabilities in your software. You can employ
software composition analysis (SCA) tools to
automate this process.
Use official sources—obtain components only
from official sources and use secure links. Ideally,
you should use signed packages to avoid including
a modified, malicious component.
Monitor for activity—do not use libraries and
components that are no longer maintained or do
not provide security patches for older versions. If it
is impossible to patch, deploy a virtual patch to
monitor, detect, and protect against these issues.
A07: Identification and Authentication
Failures
This category includes vulnerabilities caused by
identification and authentication failures. These
failures allow attackers to launch brute force attacks
and credential stuffing. Common vulnerabilities include
a lack of multi-factor authentication (MFA) and no user-
session validation for inactive or expired sessions.
This category was introduced in 2017 under the name
‘broken authentication’. In 2021, OWASP updated the
category and renamed it to include broken session
management and broken authentication.
How to prevent broken authentication
and identification:
Implement MFA and enforce strong passwords.
Never deploy using default credentials and
constantly monitor all failed login attempts.
Employ a secure session manager to generate
time-limited, random session IDs. Do not include
session IDs in URLs.
A08: Software and Data Integrity Failures
This category includes assumptions made regarding
software updates, CI/CD pipelines, and critical data
without verifying integrity. Additionally, the category
mentions insecure deserialization, which occurs when
applications do not deserialize vulnerable objects.
Threat actors can manipulate data received by back-
end code to launch attacks.
How to avoid software and data integrity
failures:
Digital signatures—mechanisms like digital
signatures can verify the data or software
originates from an expected, trusted source and
was not altered.
Trusted repositories—your libraries and
dependencies should consume trusted repositories
like Maven or npm. You can also host an internal,
vetted repository.
A review process—use a review process for all
code and configuration changes to reduce the
probability of malicious code or configuration
added to the pipeline.
Integrity—CI/CD pipelines require proper
segregation, access control, and configuration to
ensure the integrity of any code moving through
build and deploy stages.
A09: Security Logging and Monitoring
Failures
This category was previously referred to as ‘insufficient
logging and monitoring’. It covers vulnerabilities
related to security monitoring and logging failures,
which can lead to errors in your ability to identify,
escalate, and respond to active breaches. Logging and
monitoring are crucial mechanisms to detect breaches.
These failures impact visibility, forensics, and incident
alerting.
How to prevent security logging and
monitoring failures:
Context—you should log all failures related to
login, server-side input validation, and access
control with sufficient user context. This context is
key to helping you identify suspicious accounts and
perform accurate forensic analysis.
Format—ideally, your set up logging so that the
system generates logs in a format your log
management solutions can consume easily.
Encoding—you can prevent injections and attacks
on your logging and monitoring systems by
ensuring log data is properly encoded.
Audit trails—you should set up an audit trail with
integrity controls, such as append-only database
tables, for high-value transactions. It can help you
prevent deletion and tampering.
A10: Server-Side Request Forgery
Server-side request forgery (SSRF) vulnerabilities allow
threat actors to force a server-side application to send
HTTP requests to domains chosen by the actor. It
occurs when a web application fetches remote
resources without validating user-supplied URLs. It can
occur even if you use a firewall or VPN because threat
actors can still force the application to send a forged
request to an unauthorized location.
How to prevent SSRF:
Enforce network access control rules or firewall
policies that deny by default—to allow only
essential intranet traffic.
Always validate and sanitize client-supplied input
data.
Use a positive allow list to enforce the URL
schema, port, and destination.
Disable HTTP redirections and never send raw
responses to clients.
Reduce the impact of SSRF attacks by segmenting
remote resource access functionality in separate
networks.
Other OWASP Top 10 Lists
In addition to the OWASP Top 10 Application Security
Vulnerabilities list, covered in this article, OWASP has
released two other important lists that can help you
secure mobile applications and APIs. Learn about them
in our detailed guides:
OWASP Mobile Top 10 (coming soon)
OWASP API Top 10 (coming soon)
Are These the Only Vulnerabilities You
Need to Watch Out For?
The OWASP Top 10 is a great resource for web
developers and security professionals. It provides a
solid foundation and highlights key issues observed in
production web applications. However, it is not a good
idea to build an entire application security program on
these 10 issues, for several reasons.
Threats not covered in the OWASP Top 10
There are many other types of vulnerabilities and
techniques that can be used to break into applications
and steal data.
For example, Cross-Site Request Forgery (CSRF) was
removed from the 2017 OWASP Top 10 list, because it
is a less significant threat in the current technology
environment. This doesn’t mean you don’t need CSRF
protection—it only means that most organizations and
frameworks already protect themselves, so OWASP
considers it a less severe risk.
Rapid evolution of appsec technology and threats
Another concern is the rapid evolution of web
application technology, and rising new threats. Because
OWASP Top 10 is updated only once every three years,
it does not reflect the latest technologies, newly
discovered vulnerabilities, and the latest tactics,
techniques, and procedures (TTP) used by attackers.
The need for comprehensive security testing
Automated security tools can help you scan software
projects for vulnerabilities and security weaknesses,
including but not limited to the OWASP Top 10 risks.
This is critical to ensuring that you did not miss an
important vulnerability that was not included in the
Top 10, but can still pose a risk to your application and
business.