OWASP Top 10
OWASP Top 10
Open Web Application Security Project — the top 10 web application security risks
1. Overview: The Global Standard Defining the Top 10 Web Application Security Vulnerabilities, OWASP Top 10
flowchart LR
A["Countless, hard-to-classify<br/>web app security vulnerabilities<br/>Low developer security awareness"] --"OWASP Top 10<br/>standardizes vulnerabilities"--> B["Top 10 vulnerability<br/>classification, risk-based priority"] --"Secure coding<br/>security by design"--> C["Overall improvement in<br/>web app security level"]
style A fill:#FFEBEE,stroke:#D32F2F,color:#000
style B fill:#E3F2FD,stroke:#1976D2,color:#000
style C fill:#E8F5E9,stroke:#388E3C,color:#000
Definition: A list of the top 10 web application security risks, published every 3-4 years by OWASP (the Open Web Application Security Project) based on analysis of vulnerability data worldwide. It is a global standard used by developers, security teams, and auditors as a common language for web security.
Characteristics: (Risk-based prioritization) Priority is determined based on frequency of occurrence, exploitability, and business impact combined. (Emphasis on secure design) The 2021 edition added Insecure Design (A04) as a new category, emphasizing the importance of security at the design stage. (Linked to security standards) Widely used as a basis for security-check criteria in PCI-DSS, ISO 27001, and Korea’s ISMS-P.
2. Core Structure of the OWASP Top 10
A. The 10 Web Application Vulnerabilities (2021)
flowchart TD
subgraph R1[" "]
direction LR
A01["A01. Broken Access Control<br/>Broken Access Control<br/>Unauthorized resource access"]
A02["A02. Cryptographic Failures<br/>Cryptographic Failures<br/>Sensitive data exposure, weak encryption"]
A03["A03. Injection<br/>Injection<br/>SQL/NoSQL/OS/LDAP injection"]
end
subgraph R2[" "]
direction LR
A04["A04. Insecure Design<br/>Insecure Design<br/>Security flaws at the design stage"]
A05["A05. Security Misconfiguration<br/>Security Misconfiguration<br/>Default or incorrect configuration"]
A06["A06. Vulnerable Components<br/>Vulnerable Components<br/>Outdated or vulnerable libraries"]
end
subgraph R3[" "]
direction LR
A07["A07. Identification Failures<br/>Identification Failures<br/>Weak session/credential management"]
A08["A08. Data Integrity Failures<br/>Data Integrity Failures<br/>Insecure deserialization"]
A09["A09. Logging Failures<br/>Logging Failures<br/>Lack of breach detection capability"]
end
subgraph R4[" "]
direction LR
A10["A10. SSRF<br/>Server-Side Request Forgery<br/>Unauthorized access to internal services"]
end
style A01 fill:#FFEBEE,stroke:#D32F2F,color:#000
style A02 fill:#FFF3E0,stroke:#F57C00,color:#000
style A03 fill:#F3E5F5,stroke:#7B1FA2,color:#000
style A04 fill:#E3F2FD,stroke:#1976D2,color:#000
style A05 fill:#E8EAF6,stroke:#3949AB,color:#000
style A06 fill:#E0F2F1,stroke:#00796B,color:#000
style A07 fill:#FCE4EC,stroke:#C2185B,color:#000
style A08 fill:#FFF9C4,stroke:#F9A825,color:#000
style A09 fill:#E8F5E9,stroke:#388E3C,color:#000
style A10 fill:#E3F2FD,stroke:#1976D2,color:#000
style R1 fill:none,stroke:none
style R2 fill:none,stroke:none
style R3 fill:none,stroke:none
style R4 fill:none,stroke:none
B. Detection and Mitigation per Vulnerability
| Rank | Vulnerability | Attack Scenario | Detection Method | Mitigation |
|---|---|---|---|---|
| A01 | Broken Access Control | Direct URL access, parameter tampering, IDOR | Anomaly detection in access logs | Server-side authorization checks, least-privilege principle |
| A02 | Cryptographic Failures | Plaintext transmission, weak hashing (MD5), hardcoded keys | Packet analysis, code review | TLS 1.2+, AES-256, PBKDF2 hashing |
| A03 | Injection | SQL injection, OS command injection, XSS | DAST, WAF rule detection | Prepared statements, input validation, parameterized queries |
| A04 | Insecure Design | Business logic flaws, missing rate limiting | Threat modeling (STRIDE) | Define security requirements at design time, threat modeling |
| A05 | Security Misconfiguration | Default accounts, unnecessary features, exposed directories | Configuration scanning tools | Enable only necessary features, apply CIS Benchmarks |
| A06 | Vulnerable Components | Log4Shell, Spring4Shell, outdated libraries | SBOM, SCA tools | Regular dependency updates, Snyk, Dependabot |
| A07 | Identification Failures | Credential stuffing, session hijacking, weak passwords | Login-failure monitoring | MFA, session timeouts, stronger password policy |
| A08 | Data Integrity Failures | Deserialization attacks, CI/CD pipeline tampering | Signature verification, integrity checks | Never deserialize untrusted data, verify signatures |
| A09 | Logging Failures | Prolonged undetected breaches, lack of forensic evidence | Log-gap detection | Centralized log collection (SIEM), alert threshold configuration |
| A10 | SSRF | Access to internal metadata servers, cloud credential theft | Outbound request monitoring | URL allow-lists, block internal-network access, prevent DNS rebinding |
3. Expected Benefits and Practical Application of the OWASP Top 10
| Category | Key Expected Benefit | Application & Practical Use |
|---|---|---|
| Secure coding | Reduces security cost by eliminating vulnerabilities early in development | Reflect Top 10 criteria in code review checklists and SAST tools |
| Security testing | Provides a standard baseline for penetration testing and vulnerability checks | Use a DAST tool (OWASP ZAP) to check against all 10 items |
| Compliance | Meets PCI-DSS and ISMS-P web-vulnerability check requirements | Apply a Top-10-based checklist during periodic security reviews |
| Developer training | Improves the development team’s security awareness with a common security language | Basis for new-developer onboarding and secure-coding training curricula |