# OWASP top 10

Published 2022-09-30

This tutorial explains what OWASP top 10 is.

The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation dedicated to improving software security. It operates under an "open community" model.

The OWASP Top 10 is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks.

For instance, for 2023, we have the following security risks reported on OWASP Top 10:

# 1. Broken Access Control

Meaning: to have more access rights than you need.

Fix: follow the Principle of The Least Privilege.

# 2. Cryptographic Failures

Meaning: sensitive data is exposed because of the week cryptographic algorithms, insecure password storage, insufficient transport layer security (which can lead to man-in-the-middle attacks), weak SSL/TLS protocols.

Fix: Analyse the data flow and choose the right cryptographic mechanisms (for the data which is in transit or at rest).

# 3. Injection

Meaning: the request contains data which could "code" which could be run on backend and change the normal behaviour of that service. This changed behaviour could help you to obtain sensitive data or could help you to brake the security for that service.

Fix: the input data must be validated and the code must be written in a why the injection is not possible. This implementation is different function of the injection type (SQL injection, XML injection).

# 4. Insecure Design

Meaning: from the beginning of software development we need to think of the design/ architectural security threats.

Fix: from the design phase of the development we need to consider the security threats.

# 5. Security Misconfiguration

Meaning: the configuration of the security layers are not done correctly/updated.

Fix: apply the latest security patches, avoid using default configurations, protect the files and directories accordingly, grant the appropriate rights (no more than needed).

# 6. Vulnerable and Outdated Components

Meaning: you are used vulnerable libraries/components.

Fix: use the latest versions, apply the latest patches when needed and keep a record with all the libraries used on that project.

# 7. Identification and Authentication Failure

Meaning: this category contains all the issues related to the authentication

Fix: limits on login attempts, strong passwords, validity periods for password/ security keys/ tokens, etc. A MFA (Multi-Factor Authentication) could be considered here as well.

# 8. Software and Data Integrity Failures

Meaning: we can use different plugins/libraries with security vulnerabilities in our CI/CD.

Fix: have a record of all these plugins/libraries and look for potential security threats.

# 9. Security Logging and Monitoring Failures

Meaning: the security incidents are not logged/monitored (for instance, too many logins per seconds, too many failures during logins, etc).

Fix: have an appropriate logging & monitoring of the security incidents

# 10. Server-Side Request Forgery (SSRF)

Meaning: when the attacker makes the backed server (which generally has particular rights) to access some internal resources.


  • Firewall Rules: the firewalls must restrict outgoing requests from the servers to specific resources and protocols.

  • Input Validation: the input data must be validated and sanitized

  • Least Privilege: ensure that the server has the least privileges necessary to access external resources to limit potential damage if an SSRF attack occurs.

Other attack type are:

# Cross-Site Request Forgery (CSRF)

Meaning: the user to execute malicious requests (unwanted code) on behalf of the attacker. For instance, after login, you can pay a bill for the attacker.

Fix: use signed tokens, re-authentication (before an important operation), using MFA (Multi-Factor Authentication).

# Cross-Site Scripting (XSS)

Meaning: when a script is injected and run in the browser. This could hijack the session, change the content of the page, redirect to another site. In XSS the attacker could also read the response received by the browser.

Fix: the input data must be validated and sanitized and use the latest UI framework.

# Session Fixation

Meaning: when the hacker provides the server with his client's session ID and is able to access any server he wants without the need for proper credentials.

This session ID could be hijacked from : Session ID put in the URL, Session ID in a cookie, session ID in a hidden form field.

Fix: change the session ID after login