OWASP TOP 10

Summary

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. The version used in this section is OWASP Top 10:2021.

Definitions

Definition	Requirements
A1. Broken access control	033. Restrict administrative access 035. Manage privilege modifications 080. Prevent log modification 095. Define users with privileges 096. Set user's required privileges 176. Restrict system objects 186. Use the principle of least privilege 265. Restrict access to critical processes 266. Disable insecure functionalities 320. Avoid client-side control enforcement 341. Use the principle of deny by default
A2. Cryptographic failures	024. Transfer information using session objects 029. Cookies with security attributes 032. Avoid session ID leakages 037. Parameters without sensitive data 045. Remove metadata when sharing files 083. Avoid logging sensitive data 145. Protect system cryptographic keys 156. Source code without sensitive information 176. Restrict system objects 177. Avoid caching and temporary files 180. Use mock data 183. Delete sensitive data securely 184. Obfuscate application data 185. Encrypt sensitive information 261. Avoid exposing sensitive information 264. Request authentication 300. Mask sensitive data 320. Avoid client-side control enforcement 329. Keep client-side storage without sensitive data 336. Disable insecure TLS versions 338. Implement perfect forward secrecy 339. Avoid storing sensitive files in the web root 349. Include HTTP security headers 375. Remove sensitive data from client-side applications
A3. Injection	029. Cookies with security attributes 032. Avoid session ID leakages 037. Parameters without sensitive data 043. Define an explicit content type 045. Remove metadata when sharing files 050. Control calls to interpreted code 083. Avoid logging sensitive data 117. Do not interpret HTML code 145. Protect system cryptographic keys 160. Encode system outputs 169. Use parameterized queries 173. Discard unsafe inputs 180. Use mock data 321. Avoid deserializing untrusted data 340. Use octet stream downloads 342. Validate request parameters 344. Avoid dynamic code execution 349. Include HTTP security headers
A4. Insecure design	062. Define standard configurations 147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms 266. Disable insecure functionalities 325. Protect WSDL files 327. Set a rate limit 348. Use consistent encoding 349. Include HTTP security headers
A5. Security misconfiguration	043. Define an explicit content type 050. Control calls to interpreted code 062. Define standard configurations 078. Disable debugging events 157. Use the strict mode 161. Define secure default options 205. Configure PIN 206. Configure communication protocols 235. Define credential interface 252. Configure key encryption 259. Segment the organization network 266. Disable insecure functionalities 284. Define maximum number of connections 349. Include HTTP security headers 351. Assign unique keys to each device 352. Enable trusted execution 353. Schedule firmware updates
A6. Vulnerable and outdated components	154. Eliminate backdoors 158. Use a secure programming language 167. Close unused resources 262. Verify third-party components 353. Schedule firmware updates
A7. Identification and authentication failures	023. Terminate inactive user sessions 025. Manage concurrent sessions 028. Allow users to log out 029. Cookies with security attributes 030. Avoid object reutilization 031. Discard user session data 088. Request client certificates 093. Use consistent certificates 096. Set user's required privileges 114. Deny access with inactive credentials 122. Validate credential ownership 126. Set a password regeneration mechanism 131. Deny multiple password changing attempts 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 140. Define OTP lifespan 141. Force re-authentication 146. Remove cryptographic keys from RAM 153. Out of band transactions 172. Encrypt connection strings 175. Protect pages from clickjacking 176. Restrict system objects 227. Display access notification 229. Request access credentials 232. Require equipment identity 237. Ascertain human interaction 238. Establish safe recovery 247. Hide SSID on private networks 264. Request authentication 265. Restrict access to critical processes 301. Notify configuration changes 319. Make authentication options equally secure 332. Prevent the use of breached passwords 335. Define out of band token lifespan 347. Invalidate previous OTPs 357. Use stateless session tokens 362. Assign MFA mechanisms to a single account 364. Provide extended validation (EV) certificates 369. Set a maximum lifetime in sessions 373. Use certificate pinning
A8. Software and data integrity failures	030. Avoid object reutilization 050. Control calls to interpreted code 178. Use digital signatures 223. Uniform distribution in random numbers 238. Establish safe recovery 302. Declare dependencies explicitly 321. Avoid deserializing untrusted data 342. Validate request parameters 357. Use stateless session tokens
A9. Security logging and monitoring failures	046. Manage the integrity of critical files 075. Record exceptional events in logs 079. Record exact occurrence time of events 083. Avoid logging sensitive data 160. Encode system outputs 376. Register severity level 377. Store logs based on valid regulation 378. Use of log management system
A10. Server-side request forgery	255. Allow access only to the necessary ports 259. Segment the organization network 324. Control redirects

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.