OWASP Top 10

The 10 most critical web application security risks (2021)

01A01
Broken Access Control
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of data, or performing a business function outside of the user's limits.
128 CVEs 34 CWEs
02A02
Cryptographic Failures
Failures related to cryptography which often lead to sensitive data exposure. Previously known as Sensitive Data Exposure, this category focuses on the root cause: missing or flawed cryptography.
7 CVEs 29 CWEs
03A03
Injection
Injection flaws occur when an application sends untrusted data to an interpreter. Injection flaws are prevalent particularly in legacy code. They are often found in SQL, LDAP, XPath, or NoSQL queries, OS commands, XML parsers, SMTP headers, expression languages, and ORM queries.
362 CVEs 33 CWEs
04A04
Insecure Design
A new category for 2021, focusing on risks related to design flaws. Insecure design is a broad category representing different weaknesses. There is a difference between insecure design and insecure implementation.
51 CVEs 40 CWEs
05A05
Security Misconfiguration
The application might be vulnerable if it is missing appropriate security hardening, has improperly configured permissions, unnecessary features are enabled, or default accounts and passwords are still active.
222 CVEs 20 CWEs
06A06
Vulnerable and Outdated Components
Components such as libraries, frameworks, and software modules run with the same privileges as the application. If a vulnerable component is exploited, it can cause serious data loss or server takeover.
0 CVEs 3 CWEs
07A07
Identification and Authentication Failures
Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks.
111 CVEs 22 CWEs
08A08
Software and Data Integrity Failures
Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. This includes insecure CI/CD pipelines and auto-update mechanisms without integrity verification.
58 CVEs 10 CWEs
09A09
Security Logging and Monitoring Failures
Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring, and active response occurs any time.
1 CVEs 4 CWEs
10A10
Server-Side Request Forgery (SSRF)
SSRF flaws occur whenever a web application fetches a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination.
18 CVEs 1 CWEs