OWASP Top 10 Reference

All 10 OWASP Web Application Security Risks with descriptions.

Reference of the OWASP Top 10 (2021) web application security risks with rank, description, common examples and concrete mitigation for each, plus a live filter. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What is the OWASP Top 10?

The OWASP Top 10 is a community-driven awareness document listing the ten most critical web application security risks. It is maintained by the Open Worldwide Application Security Project and is widely used as a baseline for secure development and testing.

The ten most critical web application risks

The OWASP Top 10 is the most widely referenced awareness document in web application security. It ranks the categories of risk that cause the most damage, based on data from hundreds of organisations and a community survey. This reference lists all ten from the 2021 edition with a plain-language description, common real-world examples and a concrete mitigation for each.

How it works

Each entry is a category rather than a single bug. The list is ordered by a combination of exploitability, prevalence and impact, with A01 the highest priority:

A01 Broken Access Control
A02 Cryptographic Failures
A03 Injection
A04 Insecure Design
A05 Security Misconfiguration
A06 Vulnerable and Outdated Components
A07 Identification and Authentication Failures
A08 Software and Data Integrity Failures
A09 Security Logging and Monitoring Failures
A10 Server-Side Request Forgery (SSRF)

Use the categories as a checklist: for each one, confirm your application has the listed mitigations. The filter lets you find a specific risk by keyword across titles, descriptions and examples.

What changed in the 2021 edition

The 2021 edition introduced several significant shifts from the 2017 list:

  • Broken Access Control moved from fifth to first. Data from the community showed it appears in the largest share of tested applications, making it the most prevalent risk category.
  • Cryptographic Failures (was Sensitive Data Exposure) was renamed to focus on the root cause — weak or absent cryptography — rather than the symptom.
  • Injection dropped from first to third and absorbed XSS, which previously held its own slot.
  • Insecure Design (A04) is entirely new: a category for architectural flaws where the design itself lacks security controls, distinct from implementation bugs.
  • Software and Data Integrity Failures (A08) is also new, covering insecure deserialization and supply-chain risks such as untrusted CI/CD pipelines and auto-update mechanisms that lack signature verification.
  • Server-Side Request Forgery (A10) entered the list based on community survey data showing it is disproportionately severe when it occurs, even if relatively less common.

Using the list as a review checklist

The most practical way to apply the OWASP Top 10 is to walk each category during a design review or code review and ask a concrete question for each:

CategoryKey question
A01 Broken Access ControlDoes every endpoint enforce the caller’s actual permissions?
A02 Cryptographic FailuresIs sensitive data encrypted in transit and at rest with current algorithms?
A03 InjectionAre all user-supplied inputs parameterized or escaped before use in SQL, LDAP, or OS commands?
A04 Insecure DesignDoes the threat model show that core workflows cannot be abused even by authenticated users?
A05 Security MisconfigurationAre default credentials changed, unnecessary features disabled, and error messages scrubbed?
A06 Vulnerable ComponentsDoes dependency scanning run in CI and block on high-severity CVEs?
A07 Auth FailuresIs brute-force prevented, session management hardened, and MFA available?
A08 Integrity FailuresAre software updates and CI pipeline artifacts verified by signature?
A09 Logging FailuresAre authentication failures and access denials logged with enough context to investigate?
A10 SSRFDo outbound requests from server-side code validate and restrict target URLs?

Beyond the Top 10

The Top 10 is an awareness document, not a comprehensive standard. For depth, use the OWASP Application Security Verification Standard (ASVS), which maps detailed requirements to the same risk categories. Pair it with threat modelling during design, dependency scanning in CI, and periodic penetration testing to cover what automated tools miss.

Tips and notes

  • Treat the list as a minimum baseline, then graduate to the OWASP ASVS for depth.
  • A01 Broken Access Control moved to the top in 2021 — audit authorisation first.
  • Map each finding from a scanner or pentest back to a Top 10 category for triage.
  • The list is refreshed every few years; check owasp.org for the newest edition.