Skip to main content

OWASP Top 10

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

The 2021 OWASP Top 10

  1. A01:2021-Broken Access Control: Failures in this area can lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.

    • Mitigation: Implement access control mechanisms once and re-use them throughout the application. Deny by default.

  2. A02:2021-Cryptographic Failures: This category includes failures related to cryptography (or lack thereof), which can lead to the exposure of sensitive data.

    • Mitigation: Encrypt all sensitive data at rest and in transit. Use strong, up-to-date cryptographic algorithms.

  3. A03:2021-Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query.

    • Mitigation: Use parameterized queries or prepared statements. Sanitize and validate all user input.

  4. A04:2021-Insecure Design: A new category for 2021, this focuses on risks related to design flaws.

    • Mitigation: Use threat modeling and secure design patterns from the start of the development lifecycle.

  5. A05:2021-Security Misconfiguration: This includes insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.

    • Mitigation: Harden your application and server configurations. Automate the process of verifying configurations.

  6. A06:2021-Vulnerable and Outdated Components: This category is for using components with known vulnerabilities.

    • Mitigation: Regularly scan for and update all components and their dependencies.

  7. A07:2021-Identification and Authentication Failures: This category includes failures in user identity management, authentication, and session management.

    • Mitigation: Implement multi-factor authentication. Use strong password policies. Protect session IDs.

  8. A08:2021-Software and Data Integrity Failures: A new category for 2021, this focuses on failures related to software updates, critical data, and CI/CD pipelines without verifying integrity.

    • Mitigation: Use digital signatures or similar mechanisms to verify the integrity of software updates and critical data.

  9. A09:2021-Security Logging and Monitoring Failures: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.

    • Mitigation: Implement logging and monitoring to detect and respond to security incidents.

  10. A10:2021-Server-Side Request Forgery (SSRF): SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL.

    • Mitigation: Sanitize and validate all user-supplied input URLs. Enforce a "deny by default" firewall policy.