OWASP Top 10
Industry Standard for Web Application Security
The OWASP Top 10 represents a broad consensus about the most critical security risks to web applications. This globally recognized standard helps developers and security professionals understand and prioritize the most important security concerns.
Broken Access Control
Overview
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.
Technical Details
Common access control vulnerabilities include bypassing access control checks by modifying the URL, internal application state, HTML pages, or API requests. Elevation of privilege attacks allow users to act as administrators or users with privileged access. Metadata manipulation such as replaying or tampering with JWT tokens, cookies, or hidden fields. CORS misconfiguration allows unauthorized API access.
Real-World Impact
Attackers can access unauthorized functionality and data, including other users' accounts, sensitive files, or administrative functions. In e-commerce applications, this might mean accessing other customers' orders or payment information. In corporate systems, this could expose confidential business data or allow unauthorized system modifications.
Common Examples
URL manipulation to access unauthorized pages, JWT token tampering, privilege escalation through parameter modification
Prevention Strategies
- Implement proper authorization checks on all protected resources
- Use secure session management and authentication frameworks
- Apply the principle of least privilege throughout your application
- Conduct regular access control testing and code reviews
- Log access control failures and alert administrators appropriately
Cryptographic Failures
Overview
Cryptographic failures often lead to sensitive data exposure or system compromise. This category focuses on failures related to cryptography (or lack thereof) which often leads to sensitive data exposure.
Technical Details
Common failures include transmitting data in clear text (HTTP, SMTP, FTP), using old or weak cryptographic algorithms, improper key management, missing encryption for sensitive data at rest, and certificate validation issues. Browser security directive issues like missing or improper HTTP security headers also fall under this category.
Real-World Impact
Sensitive data including personal information, payment details, healthcare records, or business secrets can be compromised. This can lead to identity theft, financial fraud, regulatory violations, and significant business impact. In healthcare or financial sectors, such breaches can result in massive fines and loss of trust.
Common Examples
Unencrypted database storage, weak password hashing, missing HTTPS, poor certificate validation
Prevention Strategies
- Encrypt all sensitive data at rest and in transit using strong algorithms
- Implement proper key management and rotation procedures
- Use secure protocols (HTTPS, TLS 1.3+) for all communications
- Validate and properly configure SSL/TLS certificates
- Apply security headers and follow current cryptographic best practices
Injection
Overview
An application is vulnerable to injection when user-supplied data is not validated, filtered, or sanitized. Injection flaws occur when hostile data is sent to an interpreter as part of a command or query.
Technical Details
Common injection types include SQL injection, NoSQL injection, OS command injection, LDAP injection, and Expression Language (EL) injection. Cross-Site Scripting (XSS) is now considered part of injection. These vulnerabilities occur when applications fail to properly validate, filter, or escape user input before including it in interpreter commands.
Real-World Impact
Successful injection attacks can result in data loss, corruption, disclosure to unauthorized parties, loss of accountability, denial of access, or complete host takeover. Business impact depends on the needs of the application and data, but can include complete system compromise and data breaches.
Common Examples
SQL injection in login forms, command injection in file uploads, XSS in comment sections, LDAP injection in authentication
Prevention Strategies
- Use parameterized queries and prepared statements for database access
- Implement proper input validation and output encoding
- Use whitelist input validation wherever possible
- Escape special characters for the specific interpreter in use
- Apply the principle of least privilege for database and system accounts
Insecure Design
Overview
Insecure design is a broad category representing different weaknesses expressed as missing or ineffective control design. If we genuinely want to "shift left" as an industry, it calls for more threat modeling, secure design patterns and principles.
Technical Details
Insecure design represents missing or ineffective security controls in the application architecture. This is different from insecure implementation - you can implement a secure design insecurely, but you cannot implement an insecure design securely. Key aspects include threat modeling, secure design patterns, reference architectures, and security requirements gathering.
Real-World Impact
Applications with insecure design are fundamentally flawed from a security perspective. These flaws cannot be fixed with patches or configuration changes - they require architectural redesign. This can lead to complete application rewrites and significant business disruption when vulnerabilities are discovered.
Common Examples
Missing rate limiting on password recovery, insufficient workflow validation, lack of segregation in multi-tenant systems
Prevention Strategies
- Establish a secure development lifecycle with security professionals
- Create and use a library of secure design patterns and reference architectures
- Conduct threat modeling for critical authentication, access control, and key flows
- Write unit and integration tests to validate critical flows resist threat models
- Segregate tiers and limit resource consumption per user or service
Security Misconfiguration
Overview
Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.
Technical Details
This includes missing appropriate security hardening across any part of the application stack, improperly configured permissions on cloud services, unnecessary features enabled or installed, default accounts and passwords still enabled, error handling revealing stack traces or overly informative error messages, and latest security features disabled or not configured securely.
Real-World Impact
Security misconfigurations can give attackers unauthorized access to system data or functionality. This might include access to administrative interfaces, cloud storage buckets, or detailed system information through error messages. The impact ranges from information disclosure to complete system compromise.
Common Examples
Default admin credentials, unnecessary services running, missing security headers, cloud storage misconfiguration
Prevention Strategies
- Implement a repeatable hardening process for all environments
- Deploy a minimal platform without unnecessary features or components
- Review and update configurations as part of patch management
- Implement a segmented application architecture with proper separation
- Send security directives to clients (security headers)
Vulnerable and Outdated Components
Overview
Components such as libraries, frameworks, and other software modules run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover.
Technical Details
This vulnerability occurs when you use components with known vulnerabilities, don't know the versions of components you use, use software that is out of date or vulnerable, don't scan for vulnerabilities regularly, or don't fix or upgrade the underlying platform and frameworks in a timely fashion.
Real-World Impact
Depending on the vulnerable component, impacts can range from minimal to complete host takeover and data compromise. Some high-profile breaches have been caused by vulnerable components, including the Equifax breach which was caused by a known vulnerability in Apache Struts.
Common Examples
Outdated JavaScript libraries, vulnerable WordPress plugins, unpatched operating systems, insecure Docker images
Prevention Strategies
- Remove unused dependencies, features, components, files, and documentation
- Continuously inventory versions of components and their dependencies
- Monitor sources like CVE and NVD for vulnerabilities in your components
- Use software composition analysis tools to automate the process
- Obtain components only from official sources over secure links
Identification and Authentication Failures
Overview
Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. Authentication failures can occur when functions related to authentication and session management are often implemented incorrectly.
Technical Details
Common issues include permitting automated attacks like credential stuffing, permitting brute force attacks, permitting default or weak passwords, using weak credential recovery processes, storing passwords using weak hashing methods, having missing or ineffective multi-factor authentication, exposing session identifiers in URLs, and not properly invalidating session IDs.
Real-World Impact
Authentication failures can allow attackers to compromise passwords, keys, or session tokens, or exploit implementation flaws to assume other users' identities temporarily or permanently. This can lead to complete account takeover, data theft, or unauthorized access to business functions.
Common Examples
Weak password policies, missing MFA, session fixation, credential stuffing attacks, insecure password recovery
Prevention Strategies
- Implement multi-factor authentication to prevent automated attacks
- Do not deploy with default credentials, particularly for admin users
- Implement weak password checks and enforce strong password policies
- Align password length, complexity, and rotation policies with modern guidelines
- Use secure session management with proper timeout and invalidation
Software and Data Integrity Failures
Overview
Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. This includes applications that rely on plugins, libraries, or modules from untrusted sources without integrity checks.
Technical Details
Common scenarios include applications relying on plugins, libraries, or modules from untrusted sources, insecure CI/CD pipelines that can introduce unauthorized access, auto-update functionality that downloads updates without integrity verification, and serialized data that is signed or encrypted by an application that is then sent to an untrusted client.
Real-World Impact
Integrity failures can lead to unauthorized code execution, which may result in complete application compromise. This is particularly dangerous in CI/CD environments where a compromise can affect multiple applications and environments. Supply chain attacks have become increasingly common and devastating.
Common Examples
Compromised npm packages, insecure auto-updates, tampered CI/CD pipelines, unsigned software distribution
Prevention Strategies
- Use digital signatures to verify software and data integrity
- Ensure libraries and dependencies are from trusted repositories
- Use software supply chain security tools like OWASP Dependency Check
- Implement a review process for code and configuration changes
- Ensure CI/CD pipeline has proper segregation and access controls
Security Logging and Monitoring Failures
Overview
Logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
Technical Details
Common failures include auditable events not being logged, warnings and errors generating no or inadequate log messages, logs of applications and APIs not being monitored for suspicious activity, logs being stored locally only, insufficient alerting thresholds and response escalation processes, and penetration testing and DAST tool scans not triggering alerts.
Real-World Impact
Without proper logging and monitoring, breaches cannot be detected in a timely manner. Studies show that breaches often go undetected for months, allowing attackers to cause maximum damage. Insufficient logging also hampers incident response and forensic analysis.
Common Examples
Missing authentication logs, insufficient error logging, lack of security monitoring, poor incident response
Prevention Strategies
- Log all login, access control, and input validation failures
- Ensure log data is encoded correctly to prevent injection attacks
- Ensure high-value transactions have audit trails with integrity controls
- Establish effective monitoring and alerting for suspicious activities
- Adopt an incident response and recovery plan
Server-Side Request Forgery
Overview
SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination.
Technical Details
SSRF occurs when applications fetch remote resources without validating user-supplied URLs. Attackers can coerce applications to send requests to unexpected destinations, even when protected by firewalls, VPNs, or access control lists. Modern applications often need to fetch remote resources, making SSRF increasingly common.
Real-World Impact
SSRF can lead to unauthorized actions or access to data within the organization, such as internal services, databases, or file systems. In cloud environments, SSRF can be particularly dangerous as it can access cloud metadata services and potentially lead to complete cloud account takeover.
Common Examples
Cloud metadata access, internal service scanning, file system access, database access through internal APIs
Prevention Strategies
- Sanitize and validate all client-supplied input data
- Enforce URL schema, port, and destination with an allow list
- Do not send raw responses to clients
- Disable HTTP redirections and implement proper network segmentation
- Monitor and log all network requests from server-side components
Learn by Doing
Understanding vulnerabilities is just the beginning. Experience them firsthand with HoneyBot's interactive security challenges.
Adapted from the OWASP Foundation, licensed under CC BY-SA 4.0