OWASP Top 10 Overview

The OWASP Top 10 — What Every Tester Must Know

The OWASP Top 10 is the definitive list of the most critical web application security risks. Updated every few years, it is the standard reference for security testing scope.

Current OWASP Top 10

A01: Broken Access Control — Users accessing resources or performing actions beyond their permissions. Most common finding in real audits.

A02: Cryptographic Failures — Sensitive data exposed due to weak or missing encryption. Formerly "Sensitive Data Exposure."

A03: Injection — SQL, NoSQL, OS command, LDAP injection. User input executed as code or queries.

A04: Insecure Design — Missing security controls at the design level. Cannot be patched — requires redesign.

A05: Security Misconfiguration — Default credentials, unnecessary features enabled, overly permissive cloud storage.

A06: Vulnerable and Outdated Components — Libraries and frameworks with known CVEs still in use.

A07: Identification and Authentication Failures — Weak passwords, missing MFA, session management issues.

A08: Software and Data Integrity Failures — CI/CD pipeline tampering, auto-updates without verification, insecure deserialization.

A09: Security Logging and Monitoring Failures — No audit logs, no alerting on attacks.

A10: Server-Side Request Forgery (SSRF) — Server fetches attacker-controlled URLs, exposing internal services.

How to Use the OWASP Top 10 in Testing

Use it as a checklist for test coverage:

1. Map each application feature to relevant Top 10 categories
2. Write test cases that probe each applicable category
3. Include Top 10 verification in your Definition of Done

Example mapping for a login feature:

• A07: Test weak password acceptance, account lockout absence, session fixation
• A01: Test horizontal privilege escalation (can user A access user B's data after login?)
• A02: Verify password is hashed in the database, HTTPS is enforced