stackademic

The leading education platform for anyone with an interest in software development.

OWASP Top Ten

An overview of the most critical web application security risks

Overview

The OWASP Top Ten is a widely used, regularly updated list of the most critical web application security risks, published by the Open Worldwide Application Security Project. It gives teams a shared checklist to prioritize defenses against the issues that cause the most real-world damage. Learning it is a fast way to cover the vulnerabilities attackers exploit most often.

Syntax / Usage

The list is a set of risk categories, not code. A practical way to use it is to map each category to a concrete control in your app, such as access checks for Broken Access Control.

// Broken Access Control is #1 — enforce authorization on every request
function getInvoice(req, res) {
  const invoice = db.invoices.find(req.params.id);
  if (!invoice || invoice.ownerId !== req.user.id) {
    return res.status(404).send("Not found"); // don't confirm existence
  }
  res.json(invoice);
}

Examples

Recent categories (2021 edition) include, among others:

A01 Broken Access Control
A02 Cryptographic Failures
A03 Injection            (see SQL injection and XSS)
A05 Security Misconfiguration
A07 Identification and Authentication Failures

Map a category to action — Security Misconfiguration means disabling debug output:

if (process.env.NODE_ENV === "production") {
  app.set("x-powered-by", false); // hide framework details
}

Common Mistakes

  • Treating the list as one-time compliance rather than ongoing practice
  • Focusing only on injection while ignoring access control, the top risk
  • Assuming a framework handles every category automatically
  • Skipping dependency and configuration reviews (misconfiguration is common)
  • Not revisiting the list when OWASP publishes an updated edition

See Also

web-security-fundamentals web-security-xss web-security-sql-injection