The OWASP Top 10 (2021 edition) catalogues the most critical web application security risks ranked by prevalence, exploitability, and impact. The list is widely used as a baseline security standard — PCI-DSS requires addressing OWASP Top 10 vulnerabilities; many compliance frameworks reference it. Understanding each vulnerability, its root cause, and its mitigation is foundational for secure-by-design engineering.

Key Points

  • A01 Broken Access Control (most common, 94% of apps tested): IDOR (Insecure Direct Object Reference), missing function-level auth, path traversal — mitigate with server-side authorisation checks, deny-by-default, and access control unit tests.
  • A02 Cryptographic Failures: using MD5/SHA-1 for password hashing, hardcoded keys, transmitting PII over HTTP, broken TLS configurations — audit with sslyze, testssl.sh; enforce TLS 1.2+ and AES-256.
  • A03 Injection (SQL, LDAP, OS, NoSQL, SSTI): attacker-controlled input interpreted as code — always use parameterised queries / prepared statements; never use string concatenation to build queries.
  • A04 Insecure Design: missing threat modelling, no rate limiting on auth endpoints, insecure password reset flows — STRIDE threat modelling at design phase; threat modelling workshops before feature development.
  • A05 Security Misconfiguration: default credentials, unnecessary features enabled, overly permissive CORS (`*`), S3 public-access-block disabled — automate with AWS Config rules, CIS Benchmarks, Trivy config scan.
  • A07 Identification and Authentication Failures: brute-force attacks, credential stuffing, weak session tokens — implement account lockout, MFA, TOTP or FIDO2, secure session management (HttpOnly + Secure cookie flags).
  • A08 Software and Data Integrity Failures: CI/CD pipeline poisoning, unsigned updates, deserialisation vulnerabilities — pin dependencies with integrity hashes (`npm ci --require-pin`), sign container images (Sigstore/cosign).
  • A10 Server-Side Request Forgery (SSRF): attacker tricks server into making requests to internal resources (EC2 IMDS, `http://169.254.169.254/latest/meta-data/iam/`) — block internal IP ranges in outbound HTTP client, enforce IMDS v2 (token required).

Real-World Example

The 2019 Capital One breach was an SSRF attack: a WAF misconfiguration allowed an attacker to request the EC2 Instance Metadata Service (IMDS) via the WAF, retrieve IAM credentials, and exfiltrate 100 million customer records from S3 — mitigated in modern environments by enforcing IMDSv2 and blocking 169.254.169.254 in security groups.