Skip to content

OWASP Top 10

OWASP Top 10

Open Web Application Security Project — the top 10 web application security risks

1. Overview: The Global Standard Defining the Top 10 Web Application Security Vulnerabilities, OWASP Top 10

    flowchart LR
    A["Countless, hard-to-classify<br/>web app security vulnerabilities<br/>Low developer security awareness"] --"OWASP Top 10<br/>standardizes vulnerabilities"--> B["Top 10 vulnerability<br/>classification, risk-based priority"] --"Secure coding<br/>security by design"--> C["Overall improvement in<br/>web app security level"]

    style A fill:#FFEBEE,stroke:#D32F2F,color:#000
    style B fill:#E3F2FD,stroke:#1976D2,color:#000
    style C fill:#E8F5E9,stroke:#388E3C,color:#000
  

Definition: A list of the top 10 web application security risks, published every 3-4 years by OWASP (the Open Web Application Security Project) based on analysis of vulnerability data worldwide. It is a global standard used by developers, security teams, and auditors as a common language for web security.

Characteristics: (Risk-based prioritization) Priority is determined based on frequency of occurrence, exploitability, and business impact combined. (Emphasis on secure design) The 2021 edition added Insecure Design (A04) as a new category, emphasizing the importance of security at the design stage. (Linked to security standards) Widely used as a basis for security-check criteria in PCI-DSS, ISO 27001, and Korea’s ISMS-P.


2. Core Structure of the OWASP Top 10

A. The 10 Web Application Vulnerabilities (2021)

    flowchart TD
    subgraph R1[" "]
        direction LR
        A01["A01. Broken Access Control<br/>Broken Access Control<br/>Unauthorized resource access"]
        A02["A02. Cryptographic Failures<br/>Cryptographic Failures<br/>Sensitive data exposure, weak encryption"]
        A03["A03. Injection<br/>Injection<br/>SQL/NoSQL/OS/LDAP injection"]
    end
    subgraph R2[" "]
        direction LR
        A04["A04. Insecure Design<br/>Insecure Design<br/>Security flaws at the design stage"]
        A05["A05. Security Misconfiguration<br/>Security Misconfiguration<br/>Default or incorrect configuration"]
        A06["A06. Vulnerable Components<br/>Vulnerable Components<br/>Outdated or vulnerable libraries"]
    end
    subgraph R3[" "]
        direction LR
        A07["A07. Identification Failures<br/>Identification Failures<br/>Weak session/credential management"]
        A08["A08. Data Integrity Failures<br/>Data Integrity Failures<br/>Insecure deserialization"]
        A09["A09. Logging Failures<br/>Logging Failures<br/>Lack of breach detection capability"]
    end
    subgraph R4[" "]
        direction LR
        A10["A10. SSRF<br/>Server-Side Request Forgery<br/>Unauthorized access to internal services"]
    end

    style A01 fill:#FFEBEE,stroke:#D32F2F,color:#000
    style A02 fill:#FFF3E0,stroke:#F57C00,color:#000
    style A03 fill:#F3E5F5,stroke:#7B1FA2,color:#000
    style A04 fill:#E3F2FD,stroke:#1976D2,color:#000
    style A05 fill:#E8EAF6,stroke:#3949AB,color:#000
    style A06 fill:#E0F2F1,stroke:#00796B,color:#000
    style A07 fill:#FCE4EC,stroke:#C2185B,color:#000
    style A08 fill:#FFF9C4,stroke:#F9A825,color:#000
    style A09 fill:#E8F5E9,stroke:#388E3C,color:#000
    style A10 fill:#E3F2FD,stroke:#1976D2,color:#000
    style R1 fill:none,stroke:none
    style R2 fill:none,stroke:none
    style R3 fill:none,stroke:none
    style R4 fill:none,stroke:none
  

B. Detection and Mitigation per Vulnerability

RankVulnerabilityAttack ScenarioDetection MethodMitigation
A01Broken Access ControlDirect URL access, parameter tampering, IDORAnomaly detection in access logsServer-side authorization checks, least-privilege principle
A02Cryptographic FailuresPlaintext transmission, weak hashing (MD5), hardcoded keysPacket analysis, code reviewTLS 1.2+, AES-256, PBKDF2 hashing
A03InjectionSQL injection, OS command injection, XSSDAST, WAF rule detectionPrepared statements, input validation, parameterized queries
A04Insecure DesignBusiness logic flaws, missing rate limitingThreat modeling (STRIDE)Define security requirements at design time, threat modeling
A05Security MisconfigurationDefault accounts, unnecessary features, exposed directoriesConfiguration scanning toolsEnable only necessary features, apply CIS Benchmarks
A06Vulnerable ComponentsLog4Shell, Spring4Shell, outdated librariesSBOM, SCA toolsRegular dependency updates, Snyk, Dependabot
A07Identification FailuresCredential stuffing, session hijacking, weak passwordsLogin-failure monitoringMFA, session timeouts, stronger password policy
A08Data Integrity FailuresDeserialization attacks, CI/CD pipeline tamperingSignature verification, integrity checksNever deserialize untrusted data, verify signatures
A09Logging FailuresProlonged undetected breaches, lack of forensic evidenceLog-gap detectionCentralized log collection (SIEM), alert threshold configuration
A10SSRFAccess to internal metadata servers, cloud credential theftOutbound request monitoringURL allow-lists, block internal-network access, prevent DNS rebinding

3. Expected Benefits and Practical Application of the OWASP Top 10

CategoryKey Expected BenefitApplication & Practical Use
Secure codingReduces security cost by eliminating vulnerabilities early in developmentReflect Top 10 criteria in code review checklists and SAST tools
Security testingProvides a standard baseline for penetration testing and vulnerability checksUse a DAST tool (OWASP ZAP) to check against all 10 items
ComplianceMeets PCI-DSS and ISMS-P web-vulnerability check requirementsApply a Top-10-based checklist during periodic security reviews
Developer trainingImproves the development team’s security awareness with a common security languageBasis for new-developer onboarding and secure-coding training curricula