Standards explained
OWASP Top 10 (2021) Explained
The OWASP Top 10 is the most widely used awareness standard for web application security risks. Below is each 2021 category explained in plain language, with links into the knowledge graph where relevant.
A01: Broken Access Control
Users acting outside their intended permissions - IDOR/BOLA, privilege escalation, forced browsing. The top category, and the root cause of many serious breaches.
A02: Cryptographic Failures
Weak or missing protection of sensitive data in transit or at rest - weak algorithms, missing encryption, exposed secrets.
A03: Injection
Untrusted input interpreted as code or commands - SQL injection, command injection, SSTI, and cross-site scripting.
A04: Insecure Design
Flaws originating in design rather than implementation, addressable through threat modeling and secure design patterns.
A05: Security Misconfiguration
Insecure defaults, verbose errors, missing hardening, and (as of 2021) XXE from insecure parser configuration.
A06: Vulnerable and Outdated Components
Using components with known vulnerabilities - a software supply-chain risk addressed by software composition analysis.
A07: Identification and Authentication Failures
Weak authentication and session management, including credential stuffing, weak MFA, and flawed token handling.
A08: Software and Data Integrity Failures
Trusting code or data without integrity verification - insecure deserialization and unverified update pipelines.
A09: Security Logging and Monitoring Failures
Insufficient logging, detection, and response, letting attacks proceed unnoticed.
A10: Server-Side Request Forgery (SSRF)
Coercing the server into making requests to unintended destinations, often reaching internal or cloud metadata services.
Key takeaways
- Broken Access Control (A01) is the most common serious risk category.
- The Top 10 is an awareness baseline, not a complete test plan.
- Real risk comes from chaining categories, not isolated findings.
FAQ
Is the OWASP Top 10 a checklist?
It is an awareness document of the most critical risk categories, not an exhaustive testing checklist. Use it to prioritize, but comprehensive testing covers far more than ten items.
Related
Impactr puts this into practice - autonomously testing your web apps and APIs the way an attacker would, and proving every finding with a reproducible exploit.
Join the waitlist