OWASP Top 10: Critical Web Vulnerabilities

Broken access control holds the top position because it is the most commonly found vulnerability in real-world applications. It occurs when a user can access resources or perform actions they should not be able to: viewing other users’ data, modifying permissions or accessing administrative functions.

Prevention requires denying access by default, implementing access controls on the server (never trusting the client), applying the principle of least privilege and logging all access control failures to detect attack patterns.

This category covers the exposure of sensitive data through incorrect use or absence of cryptography. It includes transmitting data without TLS, storing passwords in plain text, using obsolete algorithms (MD5, SHA-1, DES) or generating weak cryptographic keys.

Classify all data your application handles and apply appropriate encryption both in transit (TLS 1.2+) and at rest (AES-256). Use bcrypt or Argon2 for passwords. Do not store sensitive data you do not need.

Injection vulnerabilities — SQL, NoSQL, OS command, LDAP — occur when untrusted data is sent to an interpreter as part of a command or query. The attacker can read, modify or delete data, or even execute commands on the server.

Introduced in the 2021 edition, this category highlights that many security problems originate in the design phase, not in implementation. An insecure design cannot be fixed by perfect implementation: if the password recovery flow relies solely on email, for example, no code can compensate for that architectural weakness.

Prevention requires threat modelling from the start of the project, security requirements review and the use of secure design patterns. Frameworks like STRIDE or PASTA help identify design risks before writing code.

Cross-Site Scripting (XSS) allows an attacker to inject malicious scripts into pages viewed by other users. It can steal sessions, redirect to phishing sites or manipulate page content. Three variants exist: reflected, stored and DOM-based.

Cross-Site Request Forgery (CSRF) tricks the user’s browser into performing unwanted actions on a site where they are authenticated. XSS prevention requires escaping all output according to its context and using Content-Security-Policy. For CSRF, implement anti-CSRF tokens and validate the Origin header.

The default configuration of most servers, frameworks and cloud services is not secure. Unnecessary open ports, default credentials, verbose error messages, enabled directory listing or missing security headers are all exploitable configuration errors.

Modern applications depend on dozens or hundreds of third-party libraries. If any has a known vulnerability (CVE) and is not updated, your application inherits that risk. The Log4j attack in 2021 demonstrated the devastating impact of a single vulnerable dependency.

Maintain an up-to-date inventory of dependencies with their versions. Use tools like Dependabot, Snyk or Renovate to receive automatic vulnerability alerts. Establish an internal SLA to patch critical dependencies within 48 hours.