| # | Name | Description | Example |
|---|---|---|---|
| A01 | Broken Access Control | Users can access resources or perform actions they're not supposed to. | A regular user can access admin-only pages or APIs like /admin/deleteUser. |
| A02 | Cryptographic Failures (was A03) | Weak or missing encryption of sensitive data. | Login page uses HTTP instead of HTTPS. |
| A03 | Injection | Untrusted data sent to an interpreter (e.g., SQL, shell, LDAP). |
'; DROP TABLE Users -- in a login form. |
| A04 | Insecure Design | Security was not considered during system design. | No rate limiting on login β brute-force attack succeeds. |
| A05 | Security Misconfiguration | Insecure default settings or exposed debug info. | Error pages show stack traces or server version. |
| A06 | Vulnerable and Outdated Components | Using old or insecure libraries and frameworks. | App runs an outdated jQuery version with a known XSS bug. |
| A07 | Identification and Authentication Failures | Poor login/session handling or password policy. | No account lockout after 10 failed login attempts. |
| A08 | Software and Data Integrity Failures | Trusting code or updates from untrusted sources. | Auto-loading a plugin from an insecure 3rd-party server. |
| A09 | Security Logging and Monitoring Failures | No logging, alerting, or visibility into attacks. | Failed logins or admin actions are not logged. |
| A10 | Server-Side Request Forgery (SSRF) | App can be tricked into making requests to internal systems. | Attacker sends URL to internal resource like http://localhost/admin. |
If you found this helpful, consider supporting my work at β Buy Me a Coffee.
Top comments (0)