OWASP Top 10

OWASP Top 10 is a standard awareness document representing the most critical security risks to web applications. Published by the Open Web Application Security Project, it's updated periodically based on data from security organizations worldwide.

OWASP Top 10 (2021)

1. A01 Broken Access Control - Restrictions not properly enforced
2. A02 Cryptographic Failures - Weak crypto or data exposure
3. A03 Injection - SQL, NoSQL, OS, LDAP injection
4. A04 Insecure Design - Missing security controls by design
5. A05 Security Misconfiguration - Improper configuration
6. A06 Vulnerable Components - Using components with known vulns
7. A07 Auth Failures - Broken authentication/session management
8. A08 Integrity Failures - Software/data integrity not verified
9. A09 Logging Failures - Insufficient logging and monitoring
10. A10 SSRF - Server-Side Request Forgery

Purpose

• Raise awareness of web application security
• Guide development and testing priorities
• Common vocabulary for security discussions
• Regulatory compliance baseline

Related OWASP Projects

• OWASP Testing Guide
• OWASP ASVS (Application Security Verification Standard)
• OWASP Cheat Sheet Series
• OWASP API Security Top 10

See Also

• CWE
• CVSS
• OWASP ZAP