The OWASP Top 10 is the most widely referenced list of critical web application security risks. If your web application has these vulnerabilities, it’s open to attack — with consequences ranging from data breaches to complete system compromise. This article explains each risk in plain language.
1. Broken Access Control
Users can access data or features they shouldn’t. Example: a regular user accessing the admin panel by changing a URL, or seeing another user’s data by changing an ID. Prevention: enforce authorisation at every API endpoint, never trust the client to enforce access, use principle of least privilege.
2. Cryptographic Failures
Sensitive data stored or transmitted without proper encryption — passwords in plain text, data over HTTP, weak encryption algorithms. Prevention: always HTTPS, hash passwords with bcrypt or Argon2, never MD5/SHA-1 for passwords, encrypt sensitive data at rest.
3. SQL Injection
Malicious SQL code inserted into a form field and executed against your database. The classic example: entering '; DROP TABLE users; -- could delete your entire users table if unprotected. Prevention: always use parameterised queries. Never concatenate user input into SQL strings. ORMs like Eloquent, Prisma, and Sequelize handle this by default.
4. Insecure Design
Security not considered during design, leading to fundamental architectural flaws. Prevention: threat modelling during design. “What could go wrong with this feature?” as a standard design review question. Don’t store data you don’t need — you can’t breach what you don’t have.
5. Security Misconfiguration
Default credentials unchanged, unnecessary features enabled, verbose error messages revealing system details, public cloud storage buckets. Prevention: disable everything you don’t need, change all default credentials, show user-friendly error messages while logging details internally.
6. Vulnerable and Outdated Components
Using libraries with known security vulnerabilities. The 2017 Equifax breach (147M records) was caused by a vulnerability in Apache Struts that had a patch available 2 months earlier. Prevention: automated dependency scanning (npm audit, Snyk, Dependabot), regular updates, remove unused dependencies.
7. Identification and Authentication Failures
Weak authentication — no rate limiting on login attempts, no MFA, weak sessions. Prevention: rate limit login attempts, implement MFA especially for admin accounts, secure session tokens, account lockout after repeated failures.
8. Software and Data Integrity Failures
Failing to verify integrity of software updates and CI/CD pipelines. An attacker injecting code into your deployment pipeline can compromise everything. Prevention: signed software updates, secure CI/CD with access controls, supply chain security for npm packages.
9. Security Logging and Monitoring Failures
Not logging security events or monitoring for attack indicators. The average breach takes 200+ days to detect — because nobody is watching. Log: failed login attempts, privilege escalation, data access patterns, unexpected traffic spikes. Set up alerting for anomalies.
10. Server-Side Request Forgery (SSRF)
Attacker tricks the server into making requests to internal services it shouldn’t access. Example: an image URL field used to scan internal network resources. Prevention: validate all URLs before fetching, allowlist permitted destinations, block requests to private IP ranges.
Questions to Ask Your Dev Team
- “Are we using parameterised queries for all database interactions?”
- “How are we storing passwords? (Correct answer: bcrypt or Argon2)”
- “When did we last update our dependencies?”
- “What happens if an attacker changes the user ID in an API request?”
- “Do we have rate limiting on our login endpoint?”