Top 10 OWASP

Description: Failures in enforcing policies restricting what authenticated users can do. This leads to privilege escalation, data exposure, and unauthorised function access.

Examples:

• Bypassing ID checks in URLs
• Force-browsing to admin pages
• Modifying JWTs to escalate privileges

Detection Tips: Log 403s and 401s, test APIs for IDOR, and inspect URL paths.

Mitigation:

• Use deny-by-default logic
• Centralise access control checks
• Automated security testing

References: OWASP A01

Description: Failures in data encryption, insecure transmission, or poor algorithm/key management.

Examples:

• Passwords stored in plain text
• Using TLS 1.0 or self-signed certs
• Hardcoded cryptographic keys

Detection Tips: Use automated scanners to identify plaintext storage and TLS issues.

Mitigation:

• Enforce TLS 1.2+
• Use modern algorithms like AES-256
• Rotate and protect encryption keys

References: OWASP A02

Description: Unsanitised input leads to execution of unintended commands or queries.

Examples:

• SQL Injection: ' OR 1=1--
• Command injection in OS calls
• LDAP or XPath injection

Detection Tips: Use input fuzzing, static analysis tools, and database monitoring.

Mitigation:

• Use parameterised queries
• Escape input correctly
• Whitelist input wherever possible

References: OWASP A03

Description: Flawed architecture or security missteps at the design level.

Examples:

• No rate limiting on login forms
• Missing threat modelling practices
• Relying solely on client-side validation

Mitigation:

• Use secure SDLC practices
• Implement threat modelling (e.g. STRIDE)
• Perform design reviews and abuse-case testing

References: OWASP A04

Description: Insecure default settings, incomplete configurations, or unnecessary services.

Examples:

• Default admin accounts enabled
• Verbose error messages in production
• Open S3 buckets or exposed Docker APIs

Mitigation:

• Automate secure configurations
• Harden deployments with security baselines
• Disable debugging and stack traces

References: OWASP A05

Description: Use of libraries, plugins, or frameworks with known flaws.

Examples:

• jQuery or Log4j with unpatched CVEs
• WordPress plugins with known RCE issues
• Old versions of Java, PHP, or Python

Mitigation:

• Maintain an SBOM
• Use dependency scanners like Snyk, OWASP DC
• Track CVEs and update regularly

References: OWASP A06

Description: Broken login flows or improper session handling allow attackers to compromise identities.

Examples:

• Brute-force login with no rate limiting
• Session IDs not rotated after login
• No MFA on critical systems

Mitigation:

• Use MFA and strong password policies
• Enforce session timeouts and reauthentication
• Implement account lockouts

References: OWASP A07

Description: Lack of trust controls on software updates, libraries, or critical data.

Examples:

• CI/CD pipeline pulls from unverified sources
• Unsigned or tampered updates
• Malicious packages published to open repositories

Mitigation:

• Use signed packages and checksums
• Secure your build pipeline (code signing, hashes)
• Implement source validation for code and data

References: OWASP A08

Description: Inadequate logging and detection leaves attacks unnoticed and uninvestigated.

Examples:

• No alerting for repeated login failures
• Missing logs for sensitive operations
• No visibility into audit trails

Mitigation:

• Use centralised logging (e.g. SIEM)
• Log authentication, privilege, and data access events
• Correlate events with threat intelligence

References: OWASP A09

Description: A vulnerable server is tricked into sending requests to unintended internal resources.

Examples:

• URL parameters allow requests to localhost or metadata endpoints
• Internal APIs exposed via proxy functions

Mitigation:

• Block internal address ranges from external input
• Use allowlists for outbound requests
• Audit and limit external calls made by the server

References: OWASP A10