What is the OWASP Top 10?
The OWASP Top 10 is a standard awareness document published by the Open Worldwide Application Security Project (OWASP), a nonprofit foundation dedicated to improving software security. It ranks the ten most critical security risks to web applications, based on data gathered from hundreds of organizations and a survey of security professionals.
It has become the common language for web application security—referenced by developers, penetration testers, auditors, and compliance frameworks worldwide. The most recent finalized edition is the 2021 list; OWASP revises it every few years, so it is worth confirming the current version at owasp.org.
Awareness document, not a checklist
The Top 10 covers the most prevalent and impactful risk categories—not every vulnerability. For a comprehensive testing standard, OWASP points teams to the Application Security Verification Standard (ASVS).
The OWASP Top 10 List
The current (2021) Top 10 ranks the most common web application vulnerabilities as follows:
A01 — Broken Access Control
Users acting outside their intended permissions—viewing other accounts, escalating privileges, or accessing admin functions. Now the most common web application risk.
A02 — Cryptographic Failures
Weak or missing encryption of sensitive data in transit or at rest, exposing passwords, financial data, and health records. Previously called Sensitive Data Exposure.
A03 — Injection
Untrusted input interpreted as a command or query—SQL injection, command injection, and cross-site scripting (XSS), which is now grouped here.
A04 — Insecure Design
Flaws baked into architecture and logic that no amount of clean implementation can fix. Emphasizes threat modeling and secure design from the start.
A05 — Security Misconfiguration
Default credentials, unnecessary features, verbose errors, and unpatched or improperly hardened systems. Often the easiest issue for attackers to find.
A06 — Vulnerable and Outdated Components
Using libraries, frameworks, or software with known vulnerabilities. A single outdated dependency can compromise an entire application.
A07 — Identification and Authentication Failures
Weak login, session, or credential handling—credential stuffing, weak passwords, broken session management. Formerly Broken Authentication.
A08 — Software and Data Integrity Failures
Trusting code, updates, or data from untrusted sources without integrity checks—including insecure deserialization and compromised CI/CD or supply chains.
A09 — Security Logging and Monitoring Failures
Insufficient logging, monitoring, or alerting, which lets breaches go undetected. Attackers dwell for weeks when no one is watching.
A10 — Server-Side Request Forgery (SSRF)
Tricking a server into making requests to unintended destinations, often used to reach internal systems and cloud metadata services from behind the firewall.
How to Prevent These Vulnerabilities
No single control defeats every risk, but a layered approach addresses the majority of the Top 10:
Adopt Secure Design and Threat Modeling
Identify trust boundaries and abuse cases before writing code so entire vulnerability classes are designed out rather than patched later.
Validate Input and Use Parameterized Queries
Treat all input as untrusted. Use parameterized queries and safe APIs to neutralize injection, and encode output to prevent XSS.
Enforce Access Control Server-Side
Deny by default and verify authorization on the server for every request. Never rely on hiding UI elements or client-side checks.
Patch Dependencies and Harden Configuration
Track and update third-party components, remove unused features, change defaults, and apply hardened, repeatable configuration baselines.
Log, Monitor, and Test Continuously
Centralize security logging with alerting, and run automated scanning plus periodic penetration testing to catch issues before attackers do.
How to Use the OWASP Top 10
The Top 10 is most valuable as a shared baseline. Development teams use it to prioritize secure-coding training and code review; security teams map findings to its categories to communicate risk to leadership; and many compliance and procurement processes reference it directly.
Treat it as a floor, not a ceiling. Pair awareness of these categories with threat modeling, dependency management, and regular testing—many of the breaches we cover begin with a single one of these risks left unaddressed. See our What is a Data Breach guide for what happens when they are exploited.
Frequently Asked Questions
What is the OWASP Top 10?
The OWASP Top 10 is a regularly updated, community-driven list of the ten most critical web application security risks, published by the Open Worldwide Application Security Project. It is the de facto awareness standard for developers and security teams.
Is the OWASP Top 10 a complete security checklist?
No. It is an awareness document covering the most prevalent and impactful risk categories, not an exhaustive checklist. For a fuller standard, OWASP recommends the Application Security Verification Standard (ASVS).
How often is the OWASP Top 10 updated?
OWASP revises the list every few years based on data collected from hundreds of organizations and a community survey. The 2021 edition is the most recent finalized release; always check owasp.org for the latest version.
What is the most common web application vulnerability?
In the current (2021) list, Broken Access Control (A01) ranks first—it was found in the highest percentage of tested applications, overtaking Injection, which had topped previous editions.