tool / 54

OWASP Top 10

The ten most common web application security risks — what they are, how to defend against them.

All local
10/10
A01 — Broken Access Control

Users can do things they shouldn't — viewing another user's data, escalating privileges, bypassing checks.

defend
Deny by default. Authorize on every request server-side. Don't trust client-side checks. Use IDs that aren't enumerable.
A02 — Cryptographic Failures

Sensitive data exposed via weak encryption, plaintext storage, or transmission over HTTP.

defend
Encrypt in transit (TLS 1.3) and at rest. Don't roll your own crypto. Use modern algorithms (AES-256-GCM, Argon2 for passwords).
A03 — Injection

Untrusted data interpreted as code — SQL, NoSQL, OS commands, LDAP, XPath.

defend
Use parameterized queries / prepared statements. Validate input. Escape output for the right context.
A04 — Insecure Design

Missing or ineffective security controls baked into the architecture itself.

defend
Threat model early. Use secure design patterns. Have a separate security review for new features.
A05 — Security Misconfiguration

Default credentials, unnecessary features enabled, verbose error messages, missing headers.

defend
Harden defaults. Disable unused services. Set security headers (CSP, HSTS, X-Frame-Options). Don't leak stack traces.
A06 — Vulnerable Components

Using libraries or frameworks with known vulnerabilities.

defend
Inventory dependencies. Patch promptly. Use SCA tools (npm audit, Dependabot, Snyk). Remove unused packages.
A07 — Identification & Authentication Failures

Weak passwords, broken session management, missing MFA, credential stuffing.

defend
Enforce strong passwords. Use MFA. Rotate session tokens after login. Rate-limit auth endpoints.
A08 — Software & Data Integrity Failures

Code from untrusted sources, unsigned updates, insecure CI/CD, deserialization of untrusted data.

defend
Verify package signatures. Lock dependencies. Sign artifacts. Never deserialize untrusted input.
A09 — Logging & Monitoring Failures

Insufficient logging means breaches go unnoticed for months.

defend
Log auth events, access control failures and validation errors. Monitor for unusual patterns. Alert on suspicious activity.
A10 — Server-Side Request Forgery

Server fetches a URL the user controls — leading to internal network access, cloud metadata theft.

defend
Validate and allow-list URLs. Disable unused protocols (file://, gopher://). Don't follow redirects to internal IPs.