10/3/23, 12:26 PM OWASP Top 10

HACKSPLAINING
OWASP TOP 10
TOP 10 WEB APPLICATION SECURITY RISKS
Each year OWASP (the Open Web Application Security Project) publishes the top ten
security vulnerabilities. It represents a broad consensus about the most critical
security risks to web applications. Click through on the lessons below to learn more about
how to protect against each security risk.

1. Broken Access Control

Access control enforces policy such that users cannot act outside of their intended
permissions. Failures typically lead to unauthorized information disclosure,
modification, or destruction of all data or performing a business function outside the
user's limits.

broken access control directory traversal cross-site request forgery

2. Cryptographic Failures
Many web applications and APIs do not properly protect sensitive data with strong
encryption. Attackers may steal or modify such weakly protected data to conduct
credit card fraud, identity theft, or other crimes. Sensitive data must be encryption at
rest and in transit, using a modern (and correctly configured) encryption algorithm.

We use cookies to enhance your experience. By continuing to visit this site you agree to our ✖
use of cookies. More info

https://www.hacksplaining.com/owasp 1/6
10/3/23, 12:26 PM OWASP Top 10

unencrypted communication

3. Injection
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted
data is sent to an interpreter as part of a command or query. The attacker’s hostile
data can trick the interpreter into executing unintended commands or accessing
data without proper authorization.

sql injection command execution

4. Insecure Design
Pre-coding activities are critical for the design of secure software. The design phase
of you development lifecycle should gather security requirements and model
threats, and development time should be budgeted to allow for these requirements
to be met. As software changes, your team should test assumptions and conditions
for expected and failure flows, ensuring they are still accurate and desirable. Failure
to do so will let slip critical information to attackers, and fail to anticipate novel
attack vectors.

We use cookies to enhance your experience. By continuing to visit this site you agree to our ✖
use of cookies. More info

https://www.hacksplaining.com/owasp 2/6
10/3/23, 12:26 PM OWASP Top 10

insecure design information leakage file upload vulnerabilities

5. Security Misconfiguration
Your software is only as secure as you configure it to be. Using ad hoc configuration
standards can lead to default accounts being left in place, open cloud storage,
misconfigured HTTP headers, and verbose error messages containing sensitive
information. Not only must all operating systems, frameworks, libraries, and
applications be securely configured, but they must be patched/upgraded in a timely
fashion.

lax security settings

6. Vulnerable and Outdated Components

Components, such as libraries, frameworks, and other software modules, run with
the same privileges as the application. If a vulnerable component is exploited, such
an attack can facilitate serious data loss or server takeover. Applications and APIs
using components with known vulnerabilities may undermine application defenses
and enable various attacks and impacts.

We use cookies to enhance your experience. By continuing to visit this site you agree to our ✖
use of cookies. More info

https://www.hacksplaining.com/owasp 3/6
10/3/23, 12:26 PM OWASP Top 10

toxic dependencies

7. Identification and Authentication Failures

Application functions related to authentication and session management are often
implemented incorrectly, allowing attackers to compromise passwords, keys, or
session tokens, or to exploit other implementation flaws to assume other users’
identities temporarily or permanently.

password mismanagement privilege escalation user enumeration

session fixation weak session ids

8. Software and Data Integrity Failures

We use cookies to enhance your experience. By continuing to visit this site you agree to our ✖
use of cookies. More info

https://www.hacksplaining.com/owasp 4/6
10/3/23, 12:26 PM OWASP Top 10

Software and data integrity failures relate to code and infrastructure that does not
protect against integrity violations. An example of this is where an application relies
upon plugins, libraries, or modules from untrusted sources, repositories, and
content delivery networks (CDNs). An insecure deployment pipeline can introduce
the potential for unauthorized access, malicious code, or system compromise. Lastly,
many applications now include auto-update functionality, where updates are
downloaded without sufficient integrity verification and applied to the previously
trusted application. Attackers could potentially upload their own updates to be
distributed and run on all installations.

9. Security Logging and Monitoring Failures

Insufficient logging and monitoring, coupled with missing or ineffective integration
with incident response, allows attackers to further attack systems, maintain
persistence, pivot to more systems, and tamper, extract, or destroy data. Most
breach studies show time to detect a breach is over 200 days, typically detected by
external parties rather than internal processes or monitoring.

logging and monitoring

10. Server-Side Request Forgery

Server-Side Request Forgery (SSRF) flaws occur whenever a web application fetches a
remote resource without validating the user-supplied URL. It allows an attacker to
coerce the application to send a crafted request to an unexpected destination, even
when protected by a firewall, VPN, or another type of network access control list
(ACL).

We use cookies to enhance your experience. By continuing to visit this site you agree to our ✖
use of cookies. More info

https://www.hacksplaining.com/owasp 5/6
10/3/23, 12:26 PM OWASP Top 10

server-side request forgery

We use cookies to enhance your experience. By continuing to visit this site you agree to our ✖
use of cookies. More info

https://www.hacksplaining.com/owasp 6/6