OWASP
Open Worldwide Application Security Project — a non-profit that produces free, vendor-neutral security guidance.
OWASP Top 10
A ranked list of the 10 most critical and prevalent web application security risk categories.
Vulnerability
A weakness in a system that can be exploited to compromise security or functionality.
Risk Category
A class of vulnerabilities grouped by their root cause, attack pattern, or impact type.

What is OWASP?

OWASP (Open Worldwide Application Security Project) is a non-profit foundation founded in 2001. It produces free, open-source security tools, documentation, and standards used by developers, security teams, and regulators worldwide. OWASP does not endorse vendors or sell products — everything they produce is freely available.

The OWASP Top 10 is their flagship project: a consensus document based on data from hundreds of organisations, covering the most common and impactful web application vulnerabilities. It is updated approximately every three to four years, reflecting changes in the threat landscape. The current version is the OWASP Top 10 — 2021.

94%
Of applications tested showed some form of broken access control — the #1 risk in the 2021 list.
43%
Of data breaches involve web application vulnerabilities as the initial entry point.
$4.45M
Average cost of a data breach in 2023 — many of which exploit OWASP Top 10 vulnerabilities.

The OWASP Top 10 (2021 edition)

Each entry represents a category of vulnerability, not a single specific flaw. Here is every category explained:

  1. A01
    Broken Access Control — Users can act outside their intended permissions: accessing other users' accounts, viewing sensitive files, or performing admin actions. Moved to #1 in 2021. Example: changing a URL from /user/123/profile to /user/124/profile and seeing another user's data.
  2. A02
    Cryptographic Failures — Sensitive data (passwords, credit card numbers, health records) exposed due to weak or missing encryption. Includes transmitting data over HTTP instead of HTTPS, using MD5 for password hashing, or storing encryption keys alongside encrypted data.
  3. A03
    Injection — Untrusted data sent to an interpreter as part of a command or query. SQL injection, OS command injection, LDAP injection, and NoSQL injection all fall here. Allows attackers to read, modify, or delete data, and in some cases execute system commands.
  4. A04
    Insecure Design — New in 2021. Security flaws baked in at the design phase rather than implementation. A sign-up flow without rate limiting enabling credential stuffing, or a password reset that uses predictable security questions.
  5. A05
    Security Misconfiguration — Default credentials left unchanged, unnecessary features enabled, error messages revealing stack traces, cloud storage buckets left publicly accessible, or missing security headers. Extremely common and often easy to exploit.
  6. A06
    Vulnerable and Outdated Components — Using libraries, frameworks, or OS components with known vulnerabilities. The Log4Shell vulnerability (CVE-2021-44228) is a textbook example: a widely-used library with a critical flaw affecting millions of applications.
  7. A07
    Identification and Authentication Failures — Weak passwords permitted, no MFA, session IDs exposed in URLs, no account lockout after failed logins, or passwords stored in plain text. Allows attackers to assume other users' identities.
  8. A08
    Software and Data Integrity Failures — New in 2021. Code and infrastructure not protected against integrity violations — insecure deserialization, auto-updates fetched without signature verification, CI/CD pipeline poisoning (SolarWinds is an extreme example).
  9. A09
    Security Logging and Monitoring Failures — Without sufficient logging, breaches go undetected. This category covers insufficient log detail, logs not monitored, no alerting on suspicious activity, and logs stored in a way attackers can tamper with.
  10. A10
    Server-Side Request Forgery (SSRF) — New in 2021. The application fetches a remote resource specified by user-supplied input. Attackers use this to make the server query internal services (e.g., cloud metadata endpoints) that should not be reachable from outside.

Why the OWASP Top 10 matters

The OWASP Top 10 has become a universal reference point in the industry. It is cited in:

  • Compliance frameworks: PCI-DSS, SOC 2, ISO 27001, and NIST guidelines all reference OWASP Top 10 coverage as a baseline for web application security.
  • Penetration testing: CEH, OSCP, and bug bounty programmes all structure web application testing around OWASP Top 10 categories.
  • Developer training: OWASP provides WebGoat, Juice Shop, and DVWA — intentionally vulnerable web applications for safe hands-on practice.
  • Procurement and vendor assessments: Organisations require third-party software vendors to demonstrate OWASP Top 10 coverage in their security testing.
OWASP also maintains the API Top 10 — a separate list specifically for API vulnerabilities, which differ in important ways from traditional web app attacks. As APIs have become the dominant way applications communicate, understanding both lists is essential for modern security practitioners.
Practise OWASP Top 10 in live labs

CEH v13 includes hands-on web application hacking using DVWA and Juice Shop — covering every OWASP Top 10 category with real exploitation practice.

Explore CEH v13