Skip to main content

OWASP TOP 10

logo

Summary

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. The version used in this section is OWASP Top 10:2021.

Definitions

DefinitionRequirements
A1. Broken access control033. Restrict administrative access
035. Manage privilege modifications
080. Prevent log modification
095. Define users with privileges
096. Set user's required privileges
176. Restrict system objects
186. Use the principle of least privilege
265. Restrict access to critical processes
266. Disable insecure functionalities
320. Avoid client-side control enforcement
341. Use the principle of deny by default
A2. Cryptographic failures024. Transfer information using session objects
029. Cookies with security attributes
032. Avoid session ID leakages
037. Parameters without sensitive data
045. Remove metadata when sharing files
083. Avoid logging sensitive data
145. Protect system cryptographic keys
156. Source code without sensitive information
176. Restrict system objects
177. Avoid caching and temporary files
180. Use mock data
183. Delete sensitive data securely
184. Obfuscate application data
185. Encrypt sensitive information
261. Avoid exposing sensitive information
264. Request authentication
300. Mask sensitive data
320. Avoid client-side control enforcement
329. Keep client-side storage without sensitive data
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
339. Avoid storing sensitive files in the web root
349. Include HTTP security headers
375. Remove sensitive data from client-side applications
A3. Injection029. Cookies with security attributes
032. Avoid session ID leakages
037. Parameters without sensitive data
043. Define an explicit content type
045. Remove metadata when sharing files
050. Control calls to interpreted code
083. Avoid logging sensitive data
117. Do not interpret HTML code
145. Protect system cryptographic keys
160. Encode system outputs
169. Use parameterized queries
173. Discard unsafe inputs
180. Use mock data
321. Avoid deserializing untrusted data
340. Use octet stream downloads
342. Validate request parameters
344. Avoid dynamic code execution
349. Include HTTP security headers
A4. Insecure design062. Define standard configurations
147. Use pre-existent mechanisms
224. Use secure cryptographic mechanisms
266. Disable insecure functionalities
325. Protect WSDL files
327. Set a rate limit
348. Use consistent encoding
349. Include HTTP security headers
A5. Security misconfiguration043. Define an explicit content type
050. Control calls to interpreted code
062. Define standard configurations
078. Disable debugging events
157. Use the strict mode
161. Define secure default options
205. Configure PIN
206. Configure communication protocols
235. Define credential interface
252. Configure key encryption
259. Segment the organization network
266. Disable insecure functionalities
284. Define maximum number of connections
349. Include HTTP security headers
351. Assign unique keys to each device
352. Enable trusted execution
353. Schedule firmware updates
A6. Vulnerable and outdated components154. Eliminate backdoors
158. Use a secure programming language
167. Close unused resources
262. Verify third-party components
353. Schedule firmware updates
A7. Identification and authentication failures023. Terminate inactive user sessions
025. Manage concurrent sessions
028. Allow users to log out
029. Cookies with security attributes
030. Avoid object reutilization
031. Discard user session data
088. Request client certificates
093. Use consistent certificates
096. Set user's required privileges
114. Deny access with inactive credentials
122. Validate credential ownership
126. Set a password regeneration mechanism
131. Deny multiple password changing attempts
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
140. Define OTP lifespan
141. Force re-authentication
146. Remove cryptographic keys from RAM
153. Out of band transactions
172. Encrypt connection strings
175. Protect pages from clickjacking
176. Restrict system objects
227. Display access notification
229. Request access credentials
232. Require equipment identity
237. Ascertain human interaction
238. Establish safe recovery
247. Hide SSID on private networks
264. Request authentication
265. Restrict access to critical processes
301. Notify configuration changes
319. Make authentication options equally secure
332. Prevent the use of breached passwords
335. Define out of band token lifespan
347. Invalidate previous OTPs
357. Use stateless session tokens
362. Assign MFA mechanisms to a single account
364. Provide extended validation (EV) certificates
369. Set a maximum lifetime in sessions
373. Use certificate pinning
A8. Software and data integrity failures030. Avoid object reutilization
050. Control calls to interpreted code
178. Use digital signatures
223. Uniform distribution in random numbers
238. Establish safe recovery
302. Declare dependencies explicitly
321. Avoid deserializing untrusted data
342. Validate request parameters
357. Use stateless session tokens
A9. Security logging and monitoring failures046. Manage the integrity of critical files
075. Record exceptional events in logs
079. Record exact occurrence time of events
083. Avoid logging sensitive data
160. Encode system outputs
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system
A10. Server-side request forgery255. Allow access only to the necessary ports
259. Segment the organization network
324. Control redirects