Definition

What is OWASP Top 10?

A regularly updated consensus list of the ten most critical security risks to web applications, published by the Open Web Application Security Project (OWASP). The list is informed by data contributed by hundreds of organizations covering millions of real-world applications and is widely referenced in regulatory frameworks, secure coding standards, and developer training programs. The current edition (2021) covers risks such as broken access control, cryptographic failures, injection, and insecure design.

Related terms

SQL Injection (SQLi) →

An injection attack where malicious SQL statements are inserted into application input fields that are passed unsanitized to a database query, allowing attackers to manipulate query logic.

Cross-Site Scripting (XSS) →

A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.

Broken Authentication →

A class of vulnerabilities that allows attackers to compromise passwords, keys, or session tokens, or exploit implementation flaws to assume other users' identities.

Security Misconfiguration →

The most prevalent web application vulnerability class, arising from incorrectly configured cloud services, application frameworks, databases, web servers, or network infrastructure.

Insecure Direct Object Reference (IDOR) →

A vulnerability that occurs when an application exposes an internal implementation object — such as a database record ID, filename, or account number — without verifying that the requesting user is authorized to access it.

Put this into practice

Autonomous OWASP vulnerability scanning →

See how Penetrify's autonomous AI agents find and validate this class of security issue in your application.