Get Started

OWASP 2021

F5 ASM
OWASP
IPI
A1:2021 Broken Access Control

Broken Access Control tops the OWASP Web Top 10 list because it’s one of the most common and dangerous vulnerabilities. It occurs when applications fail to enforce proper restrictions on what authenticated users are allowed to do. This can let attackers access unauthorized functions or data—like viewing other users' accounts, modifying records, or escalating privileges. Common flaws include missing access checks, insecure ID references, and relying on client-side controls. To prevent it, enforce access rules on the server side, deny by default, and test access controls rigorously. Proper logging and role-based access are essential for securing applications.

A2:2021 Cryptographic Failures

Cryptographic Failures (formerly known as Sensitive Data Exposure) refers to weaknesses in protecting data in transit or at rest due to improper use of encryption. This includes using outdated algorithms, weak key management, missing TLS, or exposing secrets like passwords, tokens, or credit card numbers. Attackers can exploit these failures to steal or tamper with sensitive data. Common mistakes include storing passwords in plaintext, not enforcing HTTPS, or exposing API keys in public code.

A3:2021 Injection

Injection occurs when untrusted input is sent to an interpreter as part of a command or query, allowing attackers to execute unintended commands or access data without proper authorization. Common forms include SQL injection, OS command injection, and LDAP injection. These attacks can lead to data breaches, loss of control, or full system compromise. Injection happens when user input isn’t properly validated, sanitized, or parameterized.

A4:2021 Insecure Design

Insecure Design highlights risks that stem from flawed application architecture or logic, rather than implementation bugs. It’s about building systems without considering security from the start—like missing threat modeling, insecure workflows, or lack of design validation. Unlike coding errors, insecure design means the system works as intended—but that intention is insecure. Examples include allowing brute-force attacks due to lack of rate limits or not validating critical actions like password changes.

A5:2021 Security Misconfiguration

A5:2021 – Security Misconfiguration refers to improper or default security settings in applications, frameworks, web servers, databases, or cloud services. It’s a broad category that includes things like unnecessary features enabled (e.g., debug mode), overly permissive permissions, missing security headers, outdated software, or exposed admin interfaces. These misconfigurations create entry points for attackers to exploit. Causes often include human error, lack of hardening, or poor visibility into deployed environments.

A6:2021 Vulnerable Outdated Components

Vulnerable and Outdated Components addresses the risk of using software libraries, frameworks, or other dependencies that have known security flaws. Applications often rely on third-party code, and if these components are outdated or unpatched, they can expose the system to attacks—even if the main application code is secure. Common examples include outdated JavaScript libraries, old CMS plugins, or unsupported server software.

A7:2021 Identification Authentication Failures

Identification and Authentication Failures occurs when applications fail to properly verify user identities or protect authentication mechanisms. This can lead to unauthorized access, account takeovers, or brute-force attacks. Common issues include weak passwords, missing multi-factor authentication (MFA), exposed session tokens, or poor session management. Attackers exploit these flaws to impersonate users or hijack accounts.

A8:2021 Software Data Integrity Failures

Software and Data Integrity Failures happen when applications fail to protect against unauthorized changes to code, configuration, or data. This includes relying on untrusted plugins, libraries, or CI/CD pipelines without verifying their integrity. Attackers can exploit these weaknesses to introduce malicious code or tamper with updates. Common issues include missing signature checks on software updates, insecure deserialization, or lack of validation for critical data changes.

A9:2021 Security Logging Monitoring Failures

Lcurity Logging and Monitoring Failures occur when applications lack proper logging, monitoring, and alerting, making it difficult to detect and respond to attacks. Without these controls, breaches can go unnoticed for days or even months. Common issues include missing logs for important events, logs that lack context, or no alerts for suspicious activity. This limits the effectiveness of incident response and forensics.

A10:2021 Server Side Request Forgery

Server-Side Request Forgery (SSRF) occurs when an application allows a user to supply a URL or destination for the server to fetch, without properly validating the input. Attackers exploit this to make the server send requests to internal services, cloud metadata endpoints, or other protected systems that would normally be inaccessible. This can lead to data exposure, port scanning, or even remote code execution in some cases. SSRF is especially dangerous in cloud environments.