What You'll Learn
The OWASP Top 10 lists the most critical security risks to web applications. Learn how SQL Injection, Broken Authentication, and XSS happen, and how to prevent them in your code.
What is OWASP?
The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation dedicated to improving software security. Their "Top 10" report is the globally recognized standard for developers to ensure secure coding practices.
A01: Broken Access Control
Users acting outside of their intended permissions. For example, a user viewing someone else's account by changing the URL from /users/123 to /users/124 (known as Insecure Direct Object Reference or IDOR).
A02: Cryptographic Failures
Failures related to cryptography, which often lead to sensitive data exposure (passwords, health records, credit cards). Examples include transmitting data over HTTP instead of HTTPS, or hashing passwords with MD5 instead of bcrypt/Argon2.
A03: Injection (SQL, NoSQL, OS Command)
Occurs when untrusted user data is sent to an interpreter as part of a command or query. A hacker inputs ' OR 1=1 -- into a login field, tricking the database into logging them in.
// VULNERABLE: String concatenation
"SELECT * FROM users WHERE email = '" + req.body.email + "'";A04: Insecure Design
A broad category representing flaws in architectural design and missing threat modeling. Perfect code cannot fix a fundamentally flawed authentication logic.
A05: Security Misconfiguration
Leaving default passwords (admin/admin), keeping debug features enabled in production, or exposing internal cloud ports to the public internet.
The Rest of the Top 10
- A06: Vulnerable and Outdated Components — Using an old version of Log4j or an unpatched npm package. Use tools like `npm audit` or Dependabot.
- A07: Identification and Auth Failures — Weak password policies, no rate limiting on login (brute force), or session hijacking.
- A08: Software and Data Integrity Failures — Pulling code from unverified sources, deserialization attacks, or compromised CI/CD pipelines.
- A09: Security Logging and Monitoring Failures — Not logging failed logins or high-value transactions. Attackers can persist in systems for months without being noticed.
- A10: Server-Side Request Forgery (SSRF) — Tricking the server into fetching a malicious URL or querying an internal cloud metadata API (like AWS 169.254.169.254).