OWASP Top Ten
An overview of the most critical web application security risks
Overview
The OWASP Top Ten is a widely used, regularly updated list of the most critical web application security risks, published by the Open Worldwide Application Security Project. It gives teams a shared checklist to prioritize defenses against the issues that cause the most real-world damage. Learning it is a fast way to cover the vulnerabilities attackers exploit most often.
Syntax / Usage
The list is a set of risk categories, not code. A practical way to use it is to map each category to a concrete control in your app, such as access checks for Broken Access Control.
// Broken Access Control is #1 — enforce authorization on every request
function getInvoice(req, res) {
const invoice = db.invoices.find(req.params.id);
if (!invoice || invoice.ownerId !== req.user.id) {
return res.status(404).send("Not found"); // don't confirm existence
}
res.json(invoice);
}
Examples
Recent categories (2021 edition) include, among others:
A01 Broken Access Control
A02 Cryptographic Failures
A03 Injection (see SQL injection and XSS)
A05 Security Misconfiguration
A07 Identification and Authentication Failures
Map a category to action — Security Misconfiguration means disabling debug output:
if (process.env.NODE_ENV === "production") {
app.set("x-powered-by", false); // hide framework details
}
Common Mistakes
- Treating the list as one-time compliance rather than ongoing practice
- Focusing only on injection while ignoring access control, the top risk
- Assuming a framework handles every category automatically
- Skipping dependency and configuration reviews (misconfiguration is common)
- Not revisiting the list when OWASP publishes an updated edition
See Also
web-security-fundamentals web-security-xss web-security-sql-injection