Skip to content
Home
Web Application Security: OWASP Top 10 Explained

Web Application Security: OWASP Top 10 Explained

Cybersecurity Cybersecurity 9 min read 1796 words Intermediate ExcellentWiki Editorial Team

Web applications are the primary interface between organizations and their users. They process sensitive data, handle authentication, and execute business logic. This makes them a prime target for attackers. The OWASP Top 10 is the authoritative guide to the most critical web application security risks. Understanding these vulnerabilities is essential for developers, security professionals, and anyone involved in building or maintaining web applications.

A01: Broken Access Control

Access control enforces what users can and cannot do. Broken access control occurs when these restrictions fail, allowing users to act outside their intended permissions.

Common examples include privilege escalation (a regular user accessing admin functions), IDOR (insecure direct object reference — accessing another user’s data by changing an ID parameter), and missing access controls on API endpoints.

Prevention requires consistent access control checks on every request, deny-by-default policies, and using server-side enforcement rather than relying on client-side controls. Never trust user-supplied identifiers — always verify authorization.

A02: Cryptographic Failures

Previously called “Sensitive Data Exposure,” this category focuses on failures related to cryptography. Sensitive data — passwords, credit card numbers, health records, personal information — must be protected both in transit and at rest.

Common failures include transmitting data without TLS, using weak or deprecated cryptographic algorithms, hardcoding encryption keys, and improper certificate validation. Storing passwords without strong hashing (bcrypt, Argon2) is a particularly common failure.

Prevention involves classifying data by sensitivity, encrypting data at rest and in transit, using modern cryptographic libraries rather than implementing your own, and managing secrets through proper key management systems.

A03: Injection

Injection attacks occur when untrusted data is sent to an interpreter as part of a command or query. SQL injection is the most well-known, but injection affects many contexts — OS commands, LDAP, XML parsers, NoSQL databases.

SQL injection example:

-- Vulnerable query
SELECT * FROM users WHERE username = '" + userInput + "';

-- Attacker input: ' OR '1'='1
-- Result: SELECT * FROM users WHERE username = '' OR '1'='1'
-- Returns all users

Prevention relies on parameterized queries (prepared statements), input validation, and escaping special characters. ORM frameworks often handle parameterization automatically, but raw queries bypass these protections.

A04: Insecure Design

Insecure design refers to flaws in application architecture and design rather than implementation errors. These are the most difficult to fix because they are baked into the application’s foundation.

Examples include missing rate limiting on authentication endpoints, trusting client-side validation, and lack of proper access control patterns. Prevention requires threat modeling during design, secure design patterns, and reference architectures that incorporate security by default.

A05: Security Misconfiguration

Security misconfiguration is the most common vulnerability. It results from insecure default configurations, incomplete configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing stack traces.

Prevention involves hardening configurations, removing default accounts and sample applications, disabling unnecessary features, and automating configuration management with infrastructure-as-code tools.

A06: Vulnerable and Outdated Components

Modern applications rely on dozens or hundreds of third-party libraries and frameworks. When these components have known vulnerabilities, the application inherits those risks.

Prevention requires maintaining an inventory of all components, monitoring for vulnerabilities (CVE databases, Snyk, Dependabot), applying patches promptly, and removing unused dependencies.

A07: Identification and Authentication Failures

Authentication failures allow attackers to compromise user accounts. Common issues include weak password policies, credential stuffing (automated login attempts with breached credentials), session fixation, and missing multi-factor authentication.

Prevention includes enforcing strong password policies, implementing rate limiting on login attempts, requiring MFA for sensitive operations, and using secure session management with proper expiration and rotation.

A08: Software and Data Integrity Failures

Integrity failures occur when software or data is modified without authorization. Supply chain attacks — like the SolarWinds breach — are a prime example where attackers inject malicious code into trusted software updates.

Prevention involves verifying software provenance, using signed commits and packages, validating software integrity with checksums, and maintaining a software bill of materials for all dependencies.

A09: Security Logging and Monitoring Failures

Without adequate logging and monitoring, attacks go undetected. Organizations discover breaches months or years after the initial compromise.

Effective logging captures authentication events, access control failures, input validation errors, and administrative actions. Logs must be protected from tampering and monitored by security teams or automated systems.

A10: Server-Side Request Forgery

SSRF occurs when a web application fetches remote resources based on user input without proper validation. Attackers manipulate the server to make requests to internal systems that are not directly accessible from the internet.

Prevention involves validating and sanitizing all URLs, blocking requests to internal IP ranges, and implementing network segmentation to limit the impact of SSRF vulnerabilities.

Building Secure Web Applications

Security is not a feature you add at the end. It must be integrated throughout the development lifecycle. Conduct threat modeling during design. Implement security testing — SAST, DAST, and manual penetration testing — as part of the CI/CD pipeline. Keep dependencies updated. Monitor production applications for attacks.

The OWASP Top 10 provides a starting point, not a complete security program. Each application has unique risks based on its architecture, data, and threat model. Use the Top 10 as a baseline, then build deeper protections tailored to your specific context.

OWASP Top 10 Deep Dive

The OWASP Top 10 represents the most critical web application security risks. Understanding each category is essential for building and testing secure web applications.

A01 — Broken Access Control

Access control failures allow attackers to access unauthorized functionality or data. Common examples include privilege escalation (user accessing admin endpoints), IDOR (Insecure Direct Object Reference — changing IDs in URLs to access other users’ data), and missing access controls on API endpoints.

Mitigation: Deny by default, apply access controls on every request, use centralized access control libraries, and test with automated scanners.

A02 — Cryptographic Failures

Formerly “Sensitive Data Exposure.” Use strong encryption (TLS 1.3 for transit, AES-256/GCM for data at rest), proper key management, and avoid custom cryptography. Hash passwords with bcrypt, argon2, or PBKDF2 — never use MD5 or SHA-1 for passwords.

A03 — Injection

SQL injection remains one of the most dangerous web vulnerabilities. Parameterized queries prevent injection by separating SQL code from data:

# Vulnerable
cursor.execute(f"SELECT * FROM users WHERE id = {user_input}")

# Safe
cursor.execute("SELECT * FROM users WHERE id = %s", (user_input,))

Command injection, LDAP injection, and NoSQL injection follow the same principle — never concatenate user input with query language syntax.

A04 — Insecure Design

Shift security left by incorporating threat modeling and secure design patterns during the architecture phase. For example, if an application tracks credit in a game, do not trust the client’s report of credits — validate all state changes on the server.

A05 — Security Misconfiguration

Default credentials, unnecessary services enabled, overly permissive CORS headers, debug endpoints exposed in production. Use configuration management tools (Ansible, Terraform) to enforce hardened baseline configurations.

Web Application Firewall (WAF)

A WAF filters HTTP traffic between the web application and the internet, blocking common attack patterns (SQL injection, XSS) based on rulesets. ModSecurity with the OWASP Core Rule Set provides free, effective WAF protection. WAFs are a compensating control — they reduce risk but do not replace secure coding practices.

Secure Development Lifecycle

Integrate security into every phase of development: threat modeling in design, static analysis (SAST) during development, dynamic analysis (DAST) in staging, and penetration testing before production release. Automated security scanning in CI/CD pipelines catches vulnerabilities before they reach production.

FAQ

What is the CIA triad? Confidentiality (data accessible only to authorized parties), Integrity (data not tampered with), Availability (systems accessible when needed). These three principles form the foundation of all cybersecurity practices.

How do I start a career in cybersecurity? Learn networking, operating systems, and basic security concepts. Set up a home lab. Earn entry-level certifications like CompTIA Security+. Build hands-on skills through CTF challenges and bug bounty programs.

What is the difference between a vulnerability and an exploit? A vulnerability is a weakness in a system that could be exploited. An exploit is code or technique that takes advantage of a vulnerability to cause unintended behavior.

How often should I change my passwords? Current guidance recommends strong, unique passwords for each account and a password manager. Change passwords immediately if you suspect compromise rather than on a fixed schedule.

What is multi-factor authentication? MFA requires two or more verification factors — typically something you know (password), something you have (phone), and something you are (fingerprint). It dramatically reduces account takeover risk.

OWASP Top 10 Deep Dive

The OWASP Top 10 represents the most critical web application security risks. Understanding each category is essential for building and testing secure web applications.

A01 — Broken Access Control

Access control failures allow attackers to access unauthorized functionality or data. Common examples include privilege escalation (user accessing admin endpoints), IDOR (Insecure Direct Object Reference — changing IDs in URLs to access other users’ data), and missing access controls on API endpoints.

Mitigation: Deny by default, apply access controls on every request, use centralized access control libraries, and test with automated scanners.

A02 — Cryptographic Failures

Formerly “Sensitive Data Exposure.” Use strong encryption (TLS 1.3 for transit, AES-256/GCM for data at rest), proper key management, and avoid custom cryptography. Hash passwords with bcrypt, argon2, or PBKDF2 — never use MD5 or SHA-1 for passwords.

A03 — Injection

SQL injection remains one of the most dangerous web vulnerabilities. Parameterized queries prevent injection by separating SQL code from data:

# Vulnerable
cursor.execute(f"SELECT * FROM users WHERE id = {user_input}")

# Safe
cursor.execute("SELECT * FROM users WHERE id = %s", (user_input,))

Command injection, LDAP injection, and NoSQL injection follow the same principle — never concatenate user input with query language syntax.

A04 — Insecure Design

Shift security left by incorporating threat modeling and secure design patterns during the architecture phase. For example, if an application tracks credit in a game, do not trust the client’s report of credits — validate all state changes on the server.

A05 — Security Misconfiguration

Default credentials, unnecessary services enabled, overly permissive CORS headers, debug endpoints exposed in production. Use configuration management tools (Ansible, Terraform) to enforce hardened baseline configurations.

Web Application Firewall (WAF)

A WAF filters HTTP traffic between the web application and the internet, blocking common attack patterns (SQL injection, XSS) based on rulesets. ModSecurity with the OWASP Core Rule Set provides free, effective WAF protection. WAFs are a compensating control — they reduce risk but do not replace secure coding practices.

Secure Development Lifecycle

Integrate security into every phase of development: threat modeling in design, static analysis (SAST) during development, dynamic analysis (DAST) in staging, and penetration testing before production release. Automated security scanning in CI/CD pipelines catches vulnerabilities before they reach production.

For a comprehensive overview, read our article on Cloud Security Architecture.

For a comprehensive overview, read our article on Cloud Security Guide.

Section: Cybersecurity 1796 words 9 min read Intermediate 756 articles in section Report inaccuracy Back to top