OWASP Top 10 Explained with Examples

A01:2021 – Broken Access Control

Users can view or edit data they shouldn’t have permission to. Example: Changing a URL parameter from /user?id=123 to /user?id=124 to see another user’s profile without authorization checks.

Mitigation: Enforce access controls on the server side; use a deny‑by‑default approach; implement proper session management.

A02:2021 – Cryptographic Failures

Previously known as “Sensitive Data Exposure.” This covers failures in cryptography that lead to exposure of sensitive data. Example: Storing passwords in plaintext or using outdated hashing algorithms like MD5.

// Bad: MD5 is weak
hash = md5(password);
// Good: Use bcrypt
hash = bcrypt.hash(password, saltRounds);

Mitigation: Encrypt all sensitive data at rest and in transit; use strong, up‑to‑date algorithms; never roll your own crypto.

A03:2021 – Injection

Includes SQL, NoSQL, OS command, and LDAP injection. Attackers supply untrusted input that gets interpreted as part of a command. Example: SQL injection as shown in the previous article.

Mitigation: Use parameterized queries or safe APIs; validate and sanitize input; use the principle of least privilege for database accounts.

A04:2021 – Insecure Design

Missing or ineffective security controls that are baked into the application’s design. Example: An application that allows unlimited password attempts without rate‑limiting, enabling brute‑force attacks.

Mitigation: Incorporate threat modeling, secure design principles, and risk assessments into the development lifecycle.

A05:2021 – Security Misconfiguration

This includes default accounts, verbose error messages, and unnecessary features. Example: Leaving debug mode enabled in production exposes sensitive information.

Mitigation: Automate configuration hardening; remove unused components; disable debug mode; implement a repeatable hardening process.

A06:2021 – Vulnerable and Outdated Components

Using libraries, frameworks, or software with known vulnerabilities. Example: Running a version of Log4j that is susceptible to CVE‑2021‑44228.

Mitigation: Maintain an inventory of components; patch regularly; use software composition analysis (SCA) tools.

A07:2021 – Identification and Authentication Failures

Weaknesses in authentication mechanisms that allow attackers to compromise passwords, session tokens, or identities. Example: Permitting weak passwords like “password123”.

Mitigation: Implement MFA; enforce strong password policies; protect session tokens; use secure password storage.

A08:2021 – Software and Data Integrity Failures

Includes insecure deserialization and lack of integrity checks. Example: An attacker modifies a serialized object stored in a cookie to gain admin privileges.

Mitigation: Use digital signatures or checksums to verify integrity; avoid deserializing untrusted data.

A09:2021 – Security Logging and Monitoring Failures

Insufficient logging and monitoring prevents detection of breaches. Example: A successful admin login attempt is not logged, so an attacker’s access goes unnoticed.

Mitigation: Log all authentication events, access control failures, and server‑side errors; monitor logs for suspicious activity.

A10:2021 – Server-Side Request Forgery (SSRF)

An attacker can force the server to make requests to unintended locations. Example: A web application that fetches a URL from user input, allowing the attacker to scan internal network services.

// Vulnerable endpoint
GET /fetch?url=https://example.com
// Attacker uses:
GET /fetch?url=http://169.254.169.254/latest/meta-data/

Mitigation: Validate and sanitize user‑supplied URLs; implement allow‑lists for allowed destinations; run servers in isolated network segments.