OWASP Top 10 is a list of the 10 most common and dangerous security risks in web applications. It is created by OWASP to help developers and companies understand what security problems hackers usually exploit and how to fix them. In simple words:
OWASP Top 10 = The top 10 biggest web security mistakes developers must avoid.
- Broken Access Control — This is when people access parts of an app they shouldn't — for example, viewing someone else's private data or performing actions only admins should do. Access control ensures every user can only do what they're supposed to
Example: A regular user changer the URL to access admin pages.
2. Security Misconfiguration — This happens when systems or software aren't set up securely — often due to default settings, incorrect configuration, or missing security options.
Example:A database that's open to the public because of weak default settings.
3. Software Supply Chain Failures — Modern apps rely on lots of third-party code and tools. If any of these external pieces are compromised — like a library or build tool — attackers can exploit that weakness.
Example: A trusted package in a coding library gets malicious code added.
4. Cryptographic Failures — This refers to weak or missing encryption. Encryption keeps data safe when storing it or sending it over the internet. If done wrong, attackers can read or steal sensitive information.
Example: Passwords stored as plain text instead of encrypted.
5. Injection — Attackers send harmful data into an application(like typing structure code instead of plain text), and the app mistakenly runs that input as commands. SQL injection is a classic.
Example: Typing SQL code into a search box to pull sensitive database records
6.Insecure Design — This is a broader security issue where the application was designed without enough thought for how attackers might exploit flaws — essentially a lack of "security thinking" during design.
Example:Skipping threat modeling or secure architectural planning.
7.Authentication Failures — This is when the system fails to verify that users are who they claim to be. This includes weak passwords, broken login protection, or sloppy handling.
Example: Letting users log in with weak passwords without lockout rules.
8. Software/Data Integrity Failures — This risk shows up when software or data changes unexpectedly — maybe through tampering,poor update handling, or bad code delivery systems.
Example: An update server that installs altered code without verfication.
9. Security Logging & Alerting Failures — If an app dosen't keep good logs or alert teams when something bad happens, attackers can do damage without being noticed.
Example: No alerts when repeated failed login attempts happen.
10. Mishandling of Exceptional Conditions — This new category covers cases when apps behave poorly under unusual conditions — like errors, timeouts, or unexpected input — sometimes leaking info or crashing.
Example: An app revealing stack traces to attackers when something goes wrong.