The OWASP Top 10 is the most widely referenced web application security classification. Updated every three to four years, it represents the consensus view of the most critical security risks to web applications. The 2021 edition introduced significant changes from the 2017 edition, reflecting the evolving threat landscape.
The 2021 edition introduced four new categories:
This product provides a thorough reference for each category. For each one you get:
A01 Broken Access Control — Users can access resources they shouldn't
A02 Cryptographic Failures — Weak or missing encryption for sensitive data
A03 Injection — Untrusted data executed as code or queries
A04 Insecure Design — Architecture-level security flaws
A05 Security Misconfiguration — Defaults, debug modes, unnecessary features
A06 Vulnerable Components — Outdated libraries with known vulnerabilities
A07 Auth Failures — Weak login, session management, or credential recovery
A08 Integrity Failures — Tampered software, deserialization attacks, poisoned CI/CD
A09 Logging and Monitoring Failures — Inability to detect and respond to attacks
A10 SSRF — Server makes unintended network requests from attacker-controlled input
Access control enforces what authenticated users are allowed to do. Broken access control is consistently the most common and most severe web application vulnerability.
Common flaws:
Fix: enforce deny-by-default. Every endpoint should explicitly declare who can access it. Default to denial unless the user has a verified role or permission that grants access.
This category covers failures related to cryptography — or the lack of it. The most common issues are not about broken encryption algorithms but about not using encryption at all, or using it incorrectly.
Common flaws:
Fix: use modern, vetted cryptography. Passwords should be hashed with bcrypt, scrypt, or Argon2 — never with a general-purpose hash function. TLS 1.2+ should be required for all connections. Encryption keys should be managed through a proper secrets management system.
Get the full OWASP Security Checklist and unlock everything.
Get the complete guide with every chapter unlocked, including code samples, diagrams, and best practices.
Access all interactive tools with complete data, all workload profiles, and the full scenario library.
Downloadable source code, configuration files, and working examples from every chapter.
Free updates for life. Every new chapter, tool, and improvement included.