DEV Community

Cover image for πŸ›‘οΈ OWASP Top 10 (2021 Edition) β€” Explained
davinceleecode
davinceleecode Subscriber

Posted on

πŸ›‘οΈ OWASP Top 10 (2021 Edition) β€” Explained

# Name Description Example
A01 Broken Access Control Users can access resources or perform actions they're not supposed to. A regular user can access admin-only pages or APIs like /admin/deleteUser.
A02 Cryptographic Failures (was A03) Weak or missing encryption of sensitive data. Login page uses HTTP instead of HTTPS.
A03 Injection Untrusted data sent to an interpreter (e.g., SQL, shell, LDAP). '; DROP TABLE Users -- in a login form.
A04 Insecure Design Security was not considered during system design. No rate limiting on login β†’ brute-force attack succeeds.
A05 Security Misconfiguration Insecure default settings or exposed debug info. Error pages show stack traces or server version.
A06 Vulnerable and Outdated Components Using old or insecure libraries and frameworks. App runs an outdated jQuery version with a known XSS bug.
A07 Identification and Authentication Failures Poor login/session handling or password policy. No account lockout after 10 failed login attempts.
A08 Software and Data Integrity Failures Trusting code or updates from untrusted sources. Auto-loading a plugin from an insecure 3rd-party server.
A09 Security Logging and Monitoring Failures No logging, alerting, or visibility into attacks. Failed logins or admin actions are not logged.
A10 Server-Side Request Forgery (SSRF) App can be tricked into making requests to internal systems. Attacker sends URL to internal resource like http://localhost/admin.

If you found this helpful, consider supporting my work at β˜• Buy Me a Coffee.

Top comments (0)