Glossary
What is the OWASP Top 10 — the standard list of the 10 biggest web-app risks
The OWASP Top 10 is the standard list of the most critical web-application security risks. This explains what each category — broken access control, injection, misconfiguration, and more — actually means, and what to prioritize defending in your own app, with links to this site's explainers.
The "OWASP Top 10" is the common language for talking about web-app security. Here's what each item means — framed as a lens for defense, not attack steps — linked to this site's deeper explainers.
The 10 risks at a glance (2021)
Each item is a category. Map it onto your own app and work down as an audit lens.
| # | Risk | Roughly what it means | Related on this site |
|---|---|---|---|
| A01 | Broken Access Control | "logged in = allowed"; missing owner checks | authn vs authz / IDOR |
| A02 | Cryptographic Failures | secrets in plaintext, weak crypto, TLS gaps | public-key crypto / password hashing |
| A03 | Injection | input hijacks a query/command | SQL injection / XSS |
| A04 | Insecure Design | threats not considered at design time | the minimum checklist |
| A05 | Security Misconfiguration | prod debug, defaults, exposed features | CORS |
| A06 | Vulnerable & Outdated Components | ignored known CVEs in dependencies | monitoring dependency CVEs |
| A07 | Authentication Failures | weak auth, no brute-force resistance, no MFA | 2FA / passkeys |
| A08 | Software & Data Integrity Failures | tampered supply chain / update path | history of security (supply chain) |
| A09 | Logging & Monitoring Failures | can't detect or trace an incident | why audit logs matter |
| A10 | SSRF | the server is made to fetch internal targets | SSRF |
How to use it: a prioritization start, not a checklist
Don't treat 'covering' the Top 10 as done
The Top 10 is the ten most representative categories, not a guarantee of sufficiency. Use it as a starting point for prioritization and gap-finding, and also shore up foundations it doesn't directly cover — dependency CVE monitoring, secret management, backups, and detection.
Start at the top (A01–A03) in your own app
Audit access control, cryptography, and injection in your own code first — the most frequent incident sources cluster here.
Check config and dependencies (A05, A06) mechanically
Tighten production config (no debug exposure) and make dependency CVE monitoring a mechanism.
Have detection (A09) before an incident
Without logs and monitoring you can't notice or trace an incident. Retain at least basic audit and access logs.
This site's view: a tool for mapping onto your own code
The value of the Top 10 isn't memorizing numbers — it's mapping each category onto your own app and auditing it. This site keeps per-risk explainers translated into "how you defend." Use the Top 10 as an entry point, and start with the top items — access control, cryptography, injection — in your own code.
Read next
- Basics: authentication vs authorization (the heart of A01) · the minimum security checklist
- Glossary: SQL injection · IDOR · SSRF
- History: the history of security (timeline)
FAQ
QWhat is the OWASP Top 10?
It's a list the non-profit OWASP (Open Worldwide Application Security Project) publishes every few years of the 'most critical web-application security risks,' organized into ten categories. It isn't a set of attack recipes — it's a common language developers and operators use to check 'where do I at least need to look.' The current edition is the 2021 version.
QWhat is number one on the OWASP Top 10?
The 2021 edition is led by Broken Access Control — the design hole where being logged in is treated as being allowed, without checking whether that user may actually perform that action or touch that data. IDOR (reaching someone else's data by supplying their ID) is a classic example of this category.
QIf I cover the OWASP Top 10, am I safe?
No. The Top 10 is the ten most representative categories, not a checklist that guarantees sufficiency. Use it as a starting point for prioritization and gap-finding, and also shore up the foundations it doesn't directly cover — dependency CVE monitoring, secret management, backups, and detection.