OWASP Top 10

The 2021 edition

1. A01 — Broken Access Control. Users can act outside their permitted scope. Vertical (privilege escalation) and horizontal (accessing another user's data).
2. A02 — Cryptographic Failures. Sensitive data exposed because it wasn't encrypted, was encrypted poorly, or because key management failed.
3. A03 — Injection. Untrusted input is treated as code: SQL, NoSQL, OS commands, LDAP, ORM, XPath, expression languages.
4. A04 — Insecure Design. Architectural flaws — missing threat modeling, ambiguous trust boundaries — that no amount of secure coding can fix later.
5. A05 — Security Misconfiguration. Defaults left in place, verbose error pages, unused features enabled, missing security headers.
6. A06 — Vulnerable and Outdated Components. Known CVEs in dependencies the application ships.
7. A07 — Identification and Authentication Failures. Credential stuffing accepted, weak passwords allowed, predictable session IDs, broken MFA.
8. A08 — Software and Data Integrity Failures. Untrusted updates, deserialization of untrusted data, CI/CD pipelines that can be hijacked.
9. A09 — Security Logging and Monitoring Failures. Attacks not detected because no one is looking and nothing is logged.
10. A10 — Server-Side Request Forgery. The server fetches a URL provided by the user and returns the result — exposing internal services.

How to use the list

The Top 10 is not a checklist. It is a starting point for security conversations and a way to align teams on a shared vocabulary. Pair it with a real threat model for your specific application, and follow the linked OWASP Cheat Sheet for each category.