The OWASP Top 10 is the most widely recognized standard for web application security risks. Whether you're a developer, security engineer, or business leader — this guide explains every category with real-world examples, detection techniques, and remediation strategies.
A periodically updated awareness document that ranks the most critical security risks to web applications. Based on data analysis from hundreds of organisations, community surveys, and real-world breach data. Referenced by PCI DSS, DORA, NIS2, and many industry standards.
#1 most common vulnerability — found in 94% of tested applications.
/api/users/123/profile to /api/users/124/profile/admin/dashboardPreviously "Sensitive Data Exposure" — renamed to focus on the root cause.
Enforce HTTPS everywhere with HSTS. Use AES-256, bcrypt/Argon2, SHA-256+. Never hardcode secrets — use Vault or AWS Secrets Manager. Encrypt data at rest. Disable TLS 1.0/1.1.
The classic web vulnerability — still in the top 3 after two decades.
' OR 1=1 -- and far more sophisticated attacksParameterized queries for all DB interactions. Input validation with allowlists. Output encoding for context. Content Security Policy headers. Least privilege DB accounts. Use ORMs consistently.
New category — design-level flaws, not implementation bugs.
Fix: Integrate threat modeling (STRIDE, PASTA) into design phase. Use secure design patterns. Write abuse cases alongside use cases.
Found in 90% of tested applications.
Repeatable hardening process. Remove all unnecessary features. Implement all security headers. Automate config management with IaC. Regular config audits. Use CSPM for cloud.
Fix: Maintain component inventory (SBOM). Continuously monitor CVE databases. Remove unused dependencies. Automate updates with Dependabot/Renovate.
Implement MFA. Enforce strong passwords with breach database checking. Rate limiting on auth endpoints. Secure session management (random IDs, HTTPOnly/Secure flags). Invalidate sessions on logout/password change.
Fix: Digital signatures on all software/data. Subresource Integrity (SRI) for external resources. Secure CI/CD with access controls and signing. Avoid insecure deserialization — use JSON.
Average time to identify a breach: 204 days (IBM 2024). Without adequate logging, attackers can establish persistence, exfiltrate data, and expand their foothold — all without triggering alarms.
Fix: Log all auth events, access control failures, and input validation failures. Include context (timestamp, user, IP, action). Centralise logs in a tamper-resistant SIEM. Implement automated alerting. Test detection capabilities regularly.
New category — added due to increasing prevalence in cloud-native architectures.
http://169.254.169.254/ for IAM credentialsValidate all user-supplied URLs server-side. Use allowlists for permitted domains. Block private IP ranges (10.x, 172.16.x, 169.254.x, 127.x). Disable unnecessary URL schemes (file://, gopher://). Use IMDSv2 on AWS. Segment URL-fetching services.
| OWASP Category | KENSAI Coverage |
|---|---|
| A01 Broken Access Control | IDOR testing, authorization bypass, CORS checks |
| A02 Cryptographic Failures | TLS analysis, header checks, encryption verification |
| A03 Injection | SQL, XSS, command injection, SSTI, header injection |
| A04 Insecure Design | Rate limiting, predictable resources, logic testing |
| A05 Security Misconfiguration | Headers, defaults, information disclosure, HTTP methods |
| A06 Vulnerable Components | Technology fingerprinting, 332K+ CVE database |
| A07 Authentication Failures | Default credentials, session testing, cookie analysis |
| A08 Integrity Failures | SRI checks, deserialization testing |
| A09 Logging Failures | Security header analysis, error handling review |
| A10 SSRF | Internal endpoint injection, cloud metadata testing |
Free scan — no commitment, no credit card required. AI-powered DAST with compliance-ready reporting.
Start Free Scan →Broken Access Control (A01) — found in 94% of tested applications. It moved from position 5 to position 1, reflecting widespread failure to enforce authorization, particularly in APIs and SPAs.
The OWASP Top 10 itself is voluntary. However, it's referenced by PCI DSS (requires addressing OWASP Top 10), NIS2 (expects systematic vulnerability management), DORA (references industry-standard testing), and many vendor assessments. In practice, it's effectively mandatory.
Automated DAST tools effectively detect most categories — especially injection (A03), cryptographic failures (A02), misconfiguration (A05), and vulnerable components (A06). Some categories like Insecure Design (A04) and Logging Failures (A09) often require manual assessment. Use automated scanning for breadth + manual testing for depth.
Every 3–4 years. Major releases: 2013, 2017, 2021. Each update reflects threat landscape shifts — the 2021 update introduced Insecure Design (A04) and SSRF (A10) while reorganizing others.
Security is not optional.
🗡️ The KENSAI Team