OWASP Top 10 (2021) with examples, controls, detection ideas, and tool cross-references
Expand each risk card for narrative guidance. The severity meter is a teaching aid (relative prevalence/impact in many apps, not a CVSS score). Map controls to your stack and threat model.
Description. Users can act outside their intended permissions because enforcement is missing, inconsistent, or relies on client-side checks.
Real-world example. Changing /api/orders/1024 to /api/orders/1025 returns another customer’s order because the API trusts the path parameter without server-side authorization.
Impact. Data breach, account takeover, privilege escalation, regulatory fines.
Prevention. Deny by default; centralize authorization; use policy engines; test horizontal/vertical access paths; avoid exposing identifiers without binding to the session subject.
Detection. Abnormal object access rates, 403/401 spikes after releases, DAST crawls that reach admin routes, audit logs showing IDOR patterns.
Tools: SAST (authz bug patterns), DAST (forced browsing), custom integration tests, WAF only as a coarse layer (not a fix).
Description. Weak or missing cryptography exposes data at rest or in transit (wrong algorithm, hardcoded keys, TLS off, sensitive data in URLs).
Real-world example. Database column stores credit card numbers plaintext “for debugging” and backups copy them unchanged to object storage.
Impact. Mass credential and PII disclosure, compliance failure.
Prevention. TLS everywhere, modern AEAD ciphers, KMS/HSM-backed keys, field-level encryption for sensitive columns, secret rotation, purge unnecessary data.
Detection. SCA/license scans for weak crypto libs, DAST for mixed content/downgrade, data-classification tooling on storage.
Tools: SAST (crypto misuse rules), SCA, CSPM for bucket encryption defaults, cloud KMS integrations.
Description. Untrusted input becomes part of a command or query (SQL, OS, LDAP, template, NoSQL).
Real-world example. Search box concatenates into SQL: ' OR 1=1-- returns all rows.
Impact. Full database compromise, RCE, data destruction.
Prevention. Parameterized queries/ORMs, input validation with allow-lists, escaping only as defense-in-depth, least-privilege DB accounts.
Detection. WAF signatures, DB audit of unusual queries, SAST taint analysis, fuzzing with error-based payloads.
Tools: SAST (taint), DAST (payload corpora), IAST where available, database activity monitoring.
Description. Missing or ineffective security architecture—threats that code alone cannot patch (business logic abuse, weak trust boundaries).
Real-world example. E-commerce allows negative quantity in the cart API, creating a discount exploit because pricing logic never validated invariants.
Impact. Fraud, irreversible architectural debt, repeated incidents.
Prevention. Threat modeling, secure design patterns, misuse cases, separation of duties, fraud analytics, reference architectures.
Detection. Abuse analytics, anomaly detection on business metrics, purple-team scenarios targeting workflows.
Tools: Threat modeling apps, manual architecture review; complement with SAST/DAST for symptoms, not root cause.
Description. Default credentials, verbose errors, open cloud storage, unnecessary features, missing security headers.
Real-world example. Admin console enabled on the Internet with default password; stack traces expose ORM and driver versions.
Impact. Easy lateral movement, fingerprinting, full compromise.
Prevention. Hardened baselines, IaC scanning, automated drift detection, periodic pentests, minimal attack surface.
Detection. CSPM/Config rules, DAST passive scan, security headers checks in CI.
Tools: IaC scanners (Checkov, tfsec), CSPM, DAST, container/image scanners for default users.
Description. Unpatched libraries, abandoned dependencies, typosquatted packages.
Real-world example. Production still runs a three-year-old Struts version with a public RCE CVE.
Impact. Remote code execution, malware in build pipelines.
Prevention. Pin versions, SBOM, automated upgrades, private registries, integrity verification, vendor SLAs.
Detection. SCA in CI/CD, runtime bill-of-materials correlation, alert on new CVEs for shipped SBOM.
Tools: SCA (Snyk, OWASP Dependency-Check, Mend), container scanners (Trivy, Grype), GitHub Dependabot-style bots.
Description. Weak passwords, broken MFA, session fixation, credential stuffing success, JWT misuse.
Real-world example. Login lacks rate limits; attackers reuse breached passwords and harvest accounts.
Impact. Account takeover, fraud, lateral movement to SSO-linked apps.
Prevention. MFA, secure session management, passwordless where viable, breached-password checks, lockouts with care for UX abuse.
Detection. Geo-velocity alerts, impossible travel, spike in failed logins, GuardDuty-style identity signals in cloud.
Tools: DAST auth flows, SAST for hardcoded creds, bot management/WAF, IdP analytics.
Description. CI/CD or update channels without integrity checks; unsigned artifacts; unsafe deserialization.
Real-world example. Build server runs a post-install script that pulls unverified bash from a URL.
Impact. Supply-chain compromise, widespread trojanized releases.
Prevention. Signed commits, signed images (Cosign), verified provenance (SLSA-style), lockfiles, restricted runner permissions.
Detection. Monitor pipeline templates, alert on new publisher IDs, binary transparency where applicable.
Tools: SCA + SBOM signing, OCI signing, secrets scanning in pipelines, IaC for least-privilege runners.
Description. Insufficient logs, unclear ownership, no alerting, or logs that attackers can tamper with.
Real-world example. Admin actions are not audited; during an incident the team cannot prove what changed.
Impact. Long dwell time, failed forensics, compliance findings.
Prevention. Centralized tamper-evident logging, high-value event schemas, retention policies, tabletop exercises.
Detection. SIEM correlation rules, UEBA, synthetic security tests that must generate alerts.
Tools: SIEM/SOAR, cloud audit services (CloudTrail, Azure Monitor), structured logging libraries, synthetic canaries.
Description. The server fetches a URL supplied by the user, reaching internal services or cloud metadata endpoints.
Real-world example. “Import from URL” feature pulls http://169.254.169.254/latest/meta-data/ and leaks IAM role keys.
Impact. Cloud credential theft, internal port scanning, pivot to VPC services.
Prevention. Network egress controls, URL allow-lists, disable unused URL fetchers, metadata IMDSv2 patterns on cloud VMs.
Detection. Outbound connection anomalies, DAST SSRF payloads, cloud alerts on metadata access.
Tools: DAST specialized modules, SAST for URL builders, CSPM/network policy reviews.
| Risk cluster | Primary automated testing | Primary governance |
|---|---|---|
| Access + Auth (A01, A07) | DAST + custom tests | IAM standards, session libraries |
| Data protection (A02, A03) | SAST + SCA | KMS, data classification |
| Design + Misconfig (A04, A05) | IaC + CSPM | Threat modeling, golden paths |
| Components + Integrity (A06, A08) | SCA + signing | SBOM, vendor risk |
| Detection + SSRF (A09, A10) | DAST + SIEM rules | Network segmentation |