OWASP Top 10: The Most Critical Web Security Risks

A01: Broken Access Control

Users accessing resources or functions they shouldn't. The #1 web security risk.

# Examples:
# - Changing URL parameter to access another user's data
#   GET /api/users/123  →  GET /api/users/456 (not your account)
# - Accessing admin endpoints without admin role
# - Missing authorisation checks after authentication

# Prevention:
# - Deny by default (allowlist, not blocklist)
# - Enforce object-level authorisation on every resource
# - Log access control failures
# - Rate limit API access
# - Don't expose IDs — use opaque tokens or UUIDs

A02: Cryptographic Failures (formerly Sensitive Data Exposure)

Sensitive data exposed due to weak or absent encryption.

# Examples:
# - Transmitting data over HTTP (not HTTPS)
# - Storing passwords in MD5 or plaintext
# - Using weak encryption (DES, RC4)
# - Exposing sensitive data in logs or error messages
# - Secrets in URL parameters (appear in server logs)

# Prevention:
# - HTTPS everywhere, HSTS header
# - Encrypt sensitive data at rest (AES-256)
# - Use bcrypt/Argon2 for passwords
# - Don't log sensitive data
# - Use secure, up-to-date algorithms only

A03: Injection (SQL, OS, LDAP)

Untrusted data sent to an interpreter as part of a command.

# SQL Injection, OS Command Injection, LDAP Injection, XPath Injection

# OS Command Injection example:
filename = request.params["file"]
os.system("convert " + filename + " output.pdf")
# Attacker: filename = "test; rm -rf /"

# Prevention:
# - Parameterised queries for SQL
# - Avoid shell commands with user input
# - Use allowlists for expected values
# - Escape all user-supplied data
# - Run with minimal OS privileges

A04-A10: The remaining risks

The rest of the OWASP Top 10 cover insecure design, misconfiguration, outdated components, auth failures, and more.

# A04: Insecure Design
# - Missing threat modelling
# - No security controls in the design phase

# A05: Security Misconfiguration
# - Default credentials not changed
# - Unnecessary features/ports enabled
# - Verbose error messages exposing stack traces

# A06: Vulnerable and Outdated Components
# - Using libraries with known CVEs
# - Fix: keep dependencies updated, use Snyk/Dependabot

# A07: Identification and Authentication Failures
# - No account lockout (allows brute force)
# - Weak passwords allowed
# - Missing MFA on sensitive functions

# A08: Software and Data Integrity Failures
# - Including untrusted libraries without checking hash
# - Insecure deserialization

# A09: Security Logging and Monitoring Failures
# - No alerting on suspicious activity
# - Logs not protected from tampering

# A10: Server-Side Request Forgery (SSRF)
# - Server fetching URLs provided by users

Exam tip

The OWASP Top 10 order changes with each release — don't memorise numbers, memorise the categories. Broken Access Control and Injection are always in the top 3. Every security exam will include at least one OWASP question.