The OWASP Top 10 — A Field Guide

The category that's #1 for a reason — present in nearly every breach. Users acting on resources they shouldn't be allowed to touch.

• IDOR — guessable IDs and missing ownership checks.
• Privilege escalation through mass assignment.
• Forgotten checks on side-doors (CSV export, GraphQL fields, admin debug routes).
• Client-side enforcement only ("the admin button is hidden in the UI").

Deep dives: Broken Access Control → · Authorization →

Sensitive data exposed because crypto was missing, broken, or applied wrong.

• Plaintext passwords, MD5/SHA-1 password hashes, missing salt.
• HTTP instead of HTTPS, expired or self-signed certs in prod.
• Hard-coded keys, secrets in source control, weak random number generation.
• Old TLS versions (1.0/1.1) and weak cipher suites.

Use vetted libraries; HTTPS everywhere; argon2id/bcrypt for passwords; rotate keys; use a secret manager.

Untrusted input interpreted as code or commands. SQL injection, NoSQL injection, OS command injection, LDAP, XPath, ORM injection — same shape, different sink.

• Always parameterize. No string concatenation into queries, ever.
• Validate input shape, but don't rely on it as the only defense.
• Use ORMs and query builders correctly — they help only if you actually pass parameters.
• For shell, prefer language APIs (e.g., execFile) over exec with a constructed string.

Deep dive: Injection →

Vulnerabilities baked into the design itself — no amount of careful coding fixes them. The category that says "we should have caught this on the whiteboard."

• Password reset that emails the password.
• Anonymous high-value endpoints with no rate limit.
• Trusting the client (price, role, tenant ID) in any decision that matters.
• Multi-step flows where step N can be skipped to step N+1.

Antidote: threat-model new features. Ask "what could go wrong?" before "how do I build it?"

Boring, common, cheap to fix, often catastrophic.

• Default credentials still active.
• Verbose stack traces in prod responses.
• Open S3 buckets, publicly accessible Elasticsearch, dev consoles exposed.
• Missing security headers (HSTS, CSP, X-Content-Type-Options).
• Permissive CORS — Access-Control-Allow-Origin: * with credentials.

Deep dive: Security Misconfiguration →

Most modern apps are 80%+ third-party code. When a dependency has a CVE, you have it too.

• Run SCA tooling — Dependabot, Snyk, Trivy, OSV-Scanner — in CI and on a schedule.
• Maintain an SBOM (Software Bill of Materials).
• Patch on a cadence, not just when something breaks.
• Pin transitive dependencies via lockfiles; review the diff on upgrades.

Deep dive: Vulnerable Dependencies →

Anything that lets an attacker become someone else.

• Credential stuffing because there's no rate limit and no MFA.
• Sessions that don't expire; tokens that can't be revoked.
• Account-existence oracles ("Email already registered" on signup).
• Weak password reset (predictable tokens, no expiry, sent over HTTP).

Deep dives: Authentication → · Broken Authentication → · MFA →

Trusting code or data without verifying it hasn't been tampered with.

• Auto-update from an unsigned source.
• CI/CD pipelines pulling base images by tag, not digest.
• Insecure deserialization — untrusted bytes turned into objects that execute code.
• No code signing on releases, no provenance for build artifacts.

Sign artifacts (Sigstore, in-toto), pin by digest, verify before deploy. Deep dive: Insecure Deserialization →

If you can't see an attack, you can't stop it. Average breach dwell time is measured in months — usually because nobody was looking.

• Log auth events, access-control denials, admin actions, payment events — with correlation IDs.
• Centralize logs (out of the application's reach).
• Alert on anomalies: spikes in 401/403, unusual login geographies, privilege grants.
• Don't log secrets or full request bodies; scrub PII at the edge.

Your server makes an HTTP request to a URL the attacker controls — often reaching internal services that aren't exposed to the internet.

• Cloud metadata endpoints (169.254.169.254) — credential theft on AWS/GCP/Azure.
• Internal services without auth assuming the network was the boundary.
• file:// schemes reading local files.

Defenses: scheme allow-list (http/https only); resolve hostnames and reject private/loopback/link-local IPs after resolution; outbound egress proxy with an allow-list; per-endpoint timeouts and size limits.

• OWASP API Security Top 10 — analogous list focused on REST/GraphQL APIs.
• OWASP Mobile Top 10 — for iOS/Android apps.
• OWASP LLM Top 10 — emerging risks for AI applications (prompt injection, training data poisoning, etc.).
• CWE Top 25 — MITRE's broader, more technical list of dangerous weaknesses.
• OWASP ASVS — Application Security Verification Standard, a checklist-grade reference.

1. Walk your app against the ten categories. Note where you're weak.
2. Pick the top three risks for your app — usually access control, auth, and dependencies.
3. Add an automated test or scanner for each one in CI.
4. Schedule a quarterly review. Lists rot; threats don't.