Web Application Attacks (OWASP Top 10)
The same handful of flaw classes have owned the web for two decades — learn the class, and you learn the fix.
01 The OWASP Top 10 as a defender's map
The OWASP Top 10 is a periodically updated, community-driven ranking of the most critical web application security risks, published by the Open Worldwide Application Security Project. It is not a checklist of individual bugs but a taxonomy of vulnerability classes — root causes that recur across languages, frameworks, and decades.
The 2021 edition, the current major revision, is ordered by prevalence and impact:
- A01 Broken Access Control
- A02 Cryptographic Failures
- A03 Injection (now including cross-site scripting)
- A04 Insecure Design
- A05 Security Misconfiguration
- A06 Vulnerable and Outdated Components
- A07 Identification and Authentication Failures
- A08 Software and Data Integrity Failures
- A09 Security Logging and Monitoring Failures
- A10 Server-Side Request Forgery (SSRF)
02 Injection and cross-site scripting (XSS)
Injection flaws share one root cause: untrusted input is mixed with a command or query so that data gets interpreted as instructions. In classic SQL injection (SQLi), input meant to be a value (a username) is instead parsed as part of the database query, letting an attacker read or alter data they should never reach. The concept generalizes to OS command injection, LDAP injection, and more.
Cross-site scripting (XSS) is injection aimed at the browser: attacker-controlled data is reflected into a web page and executed as script in a victim's session. There are three flavors:
- Stored XSS — the payload is saved server-side (a comment, a profile field) and served to every viewer.
- Reflected XSS — the payload rides in a request (often a link) and is echoed straight back in the response.
- DOM-based XSS — the flaw lives entirely in client-side JavaScript that writes untrusted data into the page.
03 Broken access control and CSRF
Broken access control — the 2021 number-one — is the failure to correctly enforce what an authenticated user is allowed to do. A common form is Insecure Direct Object Reference (IDOR): a URL like /invoice?id=1043 where changing the number to 1044 returns someone else's invoice because the server never checked ownership. Other forms include privilege escalation to admin functions and bypassing access checks by editing a request.
Cross-Site Request Forgery (CSRF) abuses the trust a site places in a logged-in browser. A malicious page silently causes the victim's browser to send an authenticated request — say, a fund transfer — using the cookies it already holds. The victim never intended the action; their session was borrowed.
| Class | Core defense |
|---|---|
| Broken access control | Deny by default; enforce every authorization check server-side; verify object ownership on each request |
| CSRF | Anti-CSRF tokens tied to the session; the SameSite cookie attribute; re-authentication for sensitive actions |
04 SSRF, deserialization, and misconfiguration
Server-Side Request Forgery (SSRF), new to the Top 10 in 2021, tricks a server into making requests on the attacker's behalf. If a feature fetches a user-supplied URL, an attacker may point it at internal systems the server can reach but they cannot — including cloud metadata endpoints (famously the link-local address 169.254.169.254) that can leak credentials. SSRF was central to the 2019 Capital One breach. Defenses: strict allowlists of permitted destinations, blocking requests to internal and link-local ranges, and disabling unused URL schemes.
Insecure deserialization (a key part of A08, Software and Data Integrity Failures) occurs when an application rebuilds objects from untrusted serialized data. Because deserialization can instantiate arbitrary objects and invoke their methods, a crafted blob can lead to remote code execution. Defense: never deserialize untrusted data with native/unsafe deserializers; prefer simple data formats like JSON with strict schemas, and add integrity checks (signatures) to any serialized state you must accept.
Security misconfiguration (A05) is the broad, boring, ubiquitous class: default credentials left in place, verbose error messages leaking stack traces, unnecessary features and ports enabled, missing security headers, overly permissive cloud storage. Defense: systematic hardening against a known baseline, removing defaults, and repeatable, automated configuration so environments do not drift.
05 The through-line: never trust the client
Read across the whole Top 10 and a single principle keeps surfacing: all input is untrusted, and all security decisions belong on the server. Injection trusts input to be data. XSS trusts input to be inert text. Broken access control trusts the client to only request what it should. CSRF trusts that a request came from the intended user. SSRF trusts a user-supplied URL. Every one is a failure to draw the trust boundary correctly.
That is why the defenses rhyme. Parameterization, output encoding, server-side authorization, anti-CSRF tokens, destination allowlists — each is a way of refusing to let untrusted data cross a boundary as if it were trusted.
OWASP publishes companion resources — the Application Security Verification Standard (ASVS) and the Cheat Sheet Series — that turn these principles into concrete, testable requirements. For a defender, the Top 10 is the map; those documents are the terrain.
⌘ Field Glossary
- OWASP Top 10
- A periodically updated, community-driven ranking of the most critical web application security risk categories, published by the Open Worldwide Application Security Project.
- SQL injection (SQLi)
- An injection flaw where untrusted input is parsed as part of a database query, allowing unauthorized reading or modification of data; defeated by parameterized queries.
- Cross-site scripting (XSS)
- Injection into the browser where attacker-controlled data executes as script in a victim's session; comes in stored, reflected, and DOM-based forms.
- Broken access control / IDOR
- Failure to enforce what a user may do; IDOR is the common case where changing an object identifier in a request exposes another user's data.
- CSRF
- Cross-Site Request Forgery — coercing a logged-in victim's browser to send an unintended authenticated request; countered by anti-CSRF tokens and SameSite cookies.
- SSRF
- Server-Side Request Forgery — abusing a server into making attacker-directed requests to internal systems or cloud metadata endpoints.
- Security misconfiguration
- The broad risk class of insecure defaults, verbose errors, unnecessary services, and permissive settings; addressed by hardening and repeatable configuration.
Knowledge Check
Field Assessment
01 What is the fundamental defense against SQL injection?
02 An app returns /invoice?id=1043 for your invoice, and changing it to 1044 shows another customer's. Which class is this?
03 Why is a client-side check, like hiding an admin button in the UI, inadequate as access control?