Level 1 · 25 min

OWASP Top 10: The Foundation

The OWASP Top 10 is the industry-standard awareness document for web application security risks. The 2021 edition reordered priorities based on a decade of breach data: Broken Access Control jumped from #5 to #1 because it was found in 94% of tested applications. Memorising the categories is not the goal — understanding the underlying failure modes is.

The 2021 Categories in Order

A01 Broken Access Control (was #5) — IDOR, missing function-level authorization, force-browsing. A02 Cryptographic Failures (was Sensitive Data Exposure) — missing TLS, weak ciphers (RC4, MD5), hardcoded keys. A03 Injection (was #1) — SQLi, NoSQLi, command, LDAP. A04 Insecure Design — new category covering missing threat-modeling. A05 Security Misconfiguration — default creds, verbose errors, open S3 buckets. A06 Vulnerable and Outdated Components — log4shell-class incidents. A07 Identification and Authentication Failures — credential stuffing, session fixation. A08 Software and Data Integrity Failures — unsigned updates, npm event-stream-style supply chain. A09 Security Logging and Monitoring Failures. A10 Server-Side Request Forgery (SSRF) — Capital One''s 2019 breach.

Why Broken Access Control Reached #1

Access control checks the answer to ''is this user allowed to perform this action on this resource?''. The 2021 reshuffle was driven by data: 94% of OWASP test apps had at least one access-control failure, with an average of 3.81 occurrences per app. The classic example is IDOR (Insecure Direct Object Reference): GET /api/invoices/12345 returns invoice 12345 with no check that the requesting user owns it. An attacker iterates the ID. Vertical privilege escalation is similar — a regular user calls POST /admin/users and the endpoint forgot the @PreAuthorize check. The defense is centralising authorization (a policy engine, not scattered if (user.isAdmin()) checks across 200 controllers), denying by default, and writing access-control tests that try every endpoint as an unauthorized user.

Cryptographic Failures and Injection in 2026

A02 Cryptographic Failures covers the entire spectrum of ''data was confidential, now it isn''t''. Concrete examples: a backend exposing /metrics over plain HTTP inside a VPC because ''the network is private'' (it isn''t — lateral movement happens), an authentication service using SHA-256 to hash passwords (cracked in seconds with hashcat on a single GPU), encrypting database backups with AES-CBC without an integrity check (padding oracle attacks). A03 Injection is still in the Top 10 because string concatenation into queries / shell commands / LDAP filters keeps appearing in new code — even though the fix (parameterized statements) has been known for 25 years.

Key Takeaways

Broken Access Control is #1 in 2021 — found in 94% of tested apps. Centralise authorization, deny by default, test every endpoint as an unauthorized user.
Cryptographic Failures is broader than ''missing TLS'' — weak hashes for passwords, missing integrity checks, hardcoded keys, and unencrypted backups all count.
The Top 10 is awareness, not a checklist. Pair it with threat modeling (STRIDE) to find risks specific to your system.

Code example

// A01 Broken Access Control — vulnerable IDOR
@GetMapping("/api/invoices/{id}")
public Invoice get(@PathVariable Long id) {
  return invoiceRepo.findById(id).orElseThrow();
  // BUG: no check that current user owns this invoice
}

// FIXED — owner check + deny by default
@GetMapping("/api/invoices/{id}")
@PreAuthorize("hasPermission(#id, 'Invoice', 'read')")
public Invoice get(@PathVariable Long id, Principal user) {
  Invoice inv = invoiceRepo.findById(id).orElseThrow();
  if (!inv.getOwnerId().equals(user.getName())) {
    throw new AccessDeniedException("not your invoice");
  }
  return inv;
}