Education

OWASP Top 10 explained in plain English

No security background needed. We break down each of the 10 most critical web application security risks — with real-world examples from apps you use every day.

SN
Sarah Novak June 5, 2024 12 min read Education

The OWASP Top 10 is a list of the 10 most critical security risks facing web applications, maintained by the Open Web Application Security Project. It’s updated every three to four years based on real-world vulnerability data from hundreds of organizations.

If you’re building a web application, you need to understand these risks — not because you need to become a security expert, but because fixing most of them is straightforward once you know what they are. Most OWASP Top 10 vulnerabilities are preventable with well-understood, widely-available mitigations.

About this list

This covers the 2021 edition of the OWASP Top 10. The severity ratings below reflect how commonly and severely each category is exploited in real-world attacks, not just their theoretical impact.

A01:2021 Broken Access Control Critical

This moved to #1 in 2021 for a reason — 94% of tested applications had some form of broken access control. In plain English: users can access pages, records, or functions they shouldn't be able to.

Real-world example: A user changes the URL from /account/1234 to /account/1235 and sees someone else's account. Or a regular user accesses /admin by typing it directly.
A02:2021 Cryptographic Failures Critical

Previously called "Sensitive Data Exposure" — this covers failures in how data is protected in transit and at rest. Think: passwords stored in plaintext, old TLS versions still enabled, or unencrypted database backups.

Real-world example: A site still accepts TLS 1.0 connections, or stores passwords using MD5 (a broken hashing algorithm). Both mean an attacker who intercepts traffic or the database can read sensitive data.
A03:2021 Injection Critical

SQL injection, command injection, LDAP injection — any time user-supplied data is interpreted as code or commands rather than data. SQL injection alone has caused some of the largest data breaches in history.

Real-world example: A search box that runs your search term directly in a database query. If you type ' OR '1'='1, the database returns all records instead of just matching ones.
A04:2021 Insecure Design High

A new category in 2021 — this covers security flaws in the design of a system, not just the implementation. No amount of code-level fixes will address a fundamentally insecure design.

Real-world example: An e-commerce site that allows unlimited password reset attempts with no rate limiting. An attacker can cycle through all possible 4-digit PINs in minutes.
A05:2021 Security Misconfiguration High

The most commonly found issue — insecure default configurations, unnecessary features left enabled, error messages that reveal too much information, or missing security hardening across the stack.

Real-world example: A server returns a detailed stack trace in error messages (revealing internal file paths and library versions). Or S3 buckets are left publicly readable.
A06:2021 Vulnerable and Outdated Components High

Using libraries, frameworks, or other software components with known vulnerabilities. This is how the Equifax breach happened — an unpatched Apache Struts vulnerability that had a fix available for months.

Real-world example: Your application uses an npm package with a known CVE for remote code execution, but you haven't updated it. The vulnerability is publicly documented and exploit code is available.
A07:2021 Identification and Authentication Failures High

Weak authentication implementations that allow attackers to assume other users' identities. Includes credential stuffing, brute force, weak session management, and missing multi-factor authentication.

Real-world example: A login form with no rate limiting — an attacker can try 10,000 passwords per minute. Or session tokens that don't expire after logout, allowing session hijacking.
A08:2021 Software and Data Integrity Failures Medium

Code and infrastructure that doesn't verify the integrity of software updates, critical data, or CI/CD pipelines. Also covers insecure deserialization — processing untrusted serialized data without validation.

Real-world example: An application loads JavaScript from a CDN without a subresource integrity (SRI) hash. If the CDN is compromised, attackers can inject arbitrary JavaScript into your application.
A09:2021 Security Logging and Monitoring Failures Medium

Without adequate logging and monitoring, breaches go undetected. The average time to detect a breach is 197 days. Inadequate logging is both a security failure and a compliance problem for SOC 2 and ISO 27001.

Real-world example: Failed login attempts aren't logged. Or they're logged but no one monitors them. An attacker spends three weeks credential-stuffing accounts — no alert fires.
A10:2021 Server-Side Request Forgery (SSRF) High

SSRF lets an attacker make the server send requests to internal resources — bypassing firewalls and accessing internal APIs, cloud metadata services, or internal databases that should never be publicly accessible.

Real-world example: A URL preview feature that fetches a URL provided by the user. An attacker provides http://169.254.169.254/latest/meta-data/ (AWS metadata endpoint) and reads cloud credentials.

How PenScan tests for these

PenScan’s seven scanner engines map directly to OWASP Top 10 categories:

  • OWASP ZAP — actively tests for A01, A03, A05, A07
  • Nuclei — template-based detection for A05, A06 (CVEs), A08
  • Wapiti — injection and path traversal testing (A03, A05)
  • Nikto — server configuration and header checks (A02, A05)
  • SSLyze — TLS/cryptographic analysis (A02)
  • Dalfox — XSS detection (a subtype of A03)
  • Nmap — service exposure and version detection (A05, A06)

Every finding in a PenScan report is tagged with its OWASP category, so you can see exactly which categories your application has exposure in — and where you’re clean.

Where to start if you find issues

If your PenScan report shows OWASP category findings, here’s the priority order:

  • A03 Injection — fix immediately. Use parameterized queries. Never concatenate user input into SQL or shell commands.
  • A01 Broken Access Control — audit all authorization checks. Ensure server-side enforcement on every endpoint.
  • A02 Cryptographic Failures — disable TLS 1.0/1.1, use bcrypt/Argon2 for passwords, enable HSTS.
  • A07 Authentication Failures — add rate limiting to login endpoints, enforce session expiry, enable MFA.
  • A05 Misconfiguration — audit security headers (CSP, X-Frame-Options, etc.), disable directory listing, remove default credentials.

The good news: most OWASP Top 10 fixes are well-documented, widely understood, and implementable by a backend developer in a single sprint — if you know exactly what’s affected. That’s exactly what a PenScan report tells you.