03
18 min read · 5 briefings

Web Application Attacks (OWASP Top 10)

The same handful of flaw classes have owned the web for two decades — learn the class, and you learn the fix.

01 The OWASP Top 10 as a defender's map

The OWASP Top 10 is a periodically updated, community-driven ranking of the most critical web application security risks, published by the Open Worldwide Application Security Project. It is not a checklist of individual bugs but a taxonomy of vulnerability classes — root causes that recur across languages, frameworks, and decades.

The 2021 edition, the current major revision, is ordered by prevalence and impact:

  1. A01 Broken Access Control
  2. A02 Cryptographic Failures
  3. A03 Injection (now including cross-site scripting)
  4. A04 Insecure Design
  5. A05 Security Misconfiguration
  6. A06 Vulnerable and Outdated Components
  7. A07 Identification and Authentication Failures
  8. A08 Software and Data Integrity Failures
  9. A09 Security Logging and Monitoring Failures
  10. A10 Server-Side Request Forgery (SSRF)
Insight Notice that Broken Access Control moved to #1 in 2021, overtaking injection. This reflects a real shift: as frameworks made injection easier to avoid, authorization logic — which frameworks cannot fully automate — became the dominant failure. The rest of this module explains the marquee classes and, for each, the standard defense.

02 Injection and cross-site scripting (XSS)

Injection flaws share one root cause: untrusted input is mixed with a command or query so that data gets interpreted as instructions. In classic SQL injection (SQLi), input meant to be a value (a username) is instead parsed as part of the database query, letting an attacker read or alter data they should never reach. The concept generalizes to OS command injection, LDAP injection, and more.

Cross-site scripting (XSS) is injection aimed at the browser: attacker-controlled data is reflected into a web page and executed as script in a victim's session. There are three flavors:

  • Stored XSS — the payload is saved server-side (a comment, a profile field) and served to every viewer.
  • Reflected XSS — the payload rides in a request (often a link) and is echoed straight back in the response.
  • DOM-based XSS — the flaw lives entirely in client-side JavaScript that writes untrusted data into the page.
Pro tip The defenses are well established. For SQLi: use parameterized queries / prepared statements so data can never be parsed as code, plus least-privilege database accounts. For XSS: apply context-aware output encoding, rely on a modern framework's auto-escaping, and deploy a Content Security Policy (CSP) as defense in depth. Input validation helps but is never sufficient alone.

03 Broken access control and CSRF

Broken access control — the 2021 number-one — is the failure to correctly enforce what an authenticated user is allowed to do. A common form is Insecure Direct Object Reference (IDOR): a URL like /invoice?id=1043 where changing the number to 1044 returns someone else's invoice because the server never checked ownership. Other forms include privilege escalation to admin functions and bypassing access checks by editing a request.

Cross-Site Request Forgery (CSRF) abuses the trust a site places in a logged-in browser. A malicious page silently causes the victim's browser to send an authenticated request — say, a fund transfer — using the cookies it already holds. The victim never intended the action; their session was borrowed.

ClassCore defense
Broken access controlDeny by default; enforce every authorization check server-side; verify object ownership on each request
CSRFAnti-CSRF tokens tied to the session; the SameSite cookie attribute; re-authentication for sensitive actions
Watch out Access control must live on the server. Hiding a button in the UI, or trusting a hidden form field or a client-side role flag, is not access control — attackers do not use your UI, they craft requests directly.

04 SSRF, deserialization, and misconfiguration

Server-Side Request Forgery (SSRF), new to the Top 10 in 2021, tricks a server into making requests on the attacker's behalf. If a feature fetches a user-supplied URL, an attacker may point it at internal systems the server can reach but they cannot — including cloud metadata endpoints (famously the link-local address 169.254.169.254) that can leak credentials. SSRF was central to the 2019 Capital One breach. Defenses: strict allowlists of permitted destinations, blocking requests to internal and link-local ranges, and disabling unused URL schemes.

Insecure deserialization (a key part of A08, Software and Data Integrity Failures) occurs when an application rebuilds objects from untrusted serialized data. Because deserialization can instantiate arbitrary objects and invoke their methods, a crafted blob can lead to remote code execution. Defense: never deserialize untrusted data with native/unsafe deserializers; prefer simple data formats like JSON with strict schemas, and add integrity checks (signatures) to any serialized state you must accept.

Security misconfiguration (A05) is the broad, boring, ubiquitous class: default credentials left in place, verbose error messages leaking stack traces, unnecessary features and ports enabled, missing security headers, overly permissive cloud storage. Defense: systematic hardening against a known baseline, removing defaults, and repeatable, automated configuration so environments do not drift.

05 The through-line: never trust the client

Read across the whole Top 10 and a single principle keeps surfacing: all input is untrusted, and all security decisions belong on the server. Injection trusts input to be data. XSS trusts input to be inert text. Broken access control trusts the client to only request what it should. CSRF trusts that a request came from the intended user. SSRF trusts a user-supplied URL. Every one is a failure to draw the trust boundary correctly.

That is why the defenses rhyme. Parameterization, output encoding, server-side authorization, anti-CSRF tokens, destination allowlists — each is a way of refusing to let untrusted data cross a boundary as if it were trusted.

Insight Practitioners bake these defenses into the process, not the heroics. Secure-by-default frameworks, code review, dependency scanning for A06 (vulnerable components), and automated security testing in the build pipeline catch far more than any individual's vigilance. The best time to kill a vulnerability class is before a human ever has to remember it exists.

OWASP publishes companion resources — the Application Security Verification Standard (ASVS) and the Cheat Sheet Series — that turn these principles into concrete, testable requirements. For a defender, the Top 10 is the map; those documents are the terrain.

Field Glossary

OWASP Top 10
A periodically updated, community-driven ranking of the most critical web application security risk categories, published by the Open Worldwide Application Security Project.
SQL injection (SQLi)
An injection flaw where untrusted input is parsed as part of a database query, allowing unauthorized reading or modification of data; defeated by parameterized queries.
Cross-site scripting (XSS)
Injection into the browser where attacker-controlled data executes as script in a victim's session; comes in stored, reflected, and DOM-based forms.
Broken access control / IDOR
Failure to enforce what a user may do; IDOR is the common case where changing an object identifier in a request exposes another user's data.
CSRF
Cross-Site Request Forgery — coercing a logged-in victim's browser to send an unintended authenticated request; countered by anti-CSRF tokens and SameSite cookies.
SSRF
Server-Side Request Forgery — abusing a server into making attacker-directed requests to internal systems or cloud metadata endpoints.
Security misconfiguration
The broad risk class of insecure defaults, verbose errors, unnecessary services, and permissive settings; addressed by hardening and repeatable configuration.

Knowledge Check

Field Assessment

0 / 3

01 What is the fundamental defense against SQL injection?

02 An app returns /invoice?id=1043 for your invoice, and changing it to 1044 shows another customer's. Which class is this?

03 Why is a client-side check, like hiding an admin button in the UI, inadequate as access control?

ESC
↑↓ navigate jack in