OWASP Top 10 — Complete Guide with Examples and Fixes (2025)
The OWASP Top 10 is the de facto standard for web application security risk. Every developer and security engineer should understand these vulnerabilities — and how to detect and fix them.
Broken Access Control
Users can act outside of their intended permissions — accessing other users' data, modifying other accounts, or performing unauthorized actions.
Real-world example
An e-commerce app uses sequential order IDs in URLs (/orders/1234). By changing the ID to /orders/1233, a user can view another customer's order details.
Impact
Data breach, unauthorized data modification, privilege escalation.
How to fix
Enforce access controls server-side on every request. Default to deny. Use indirect object references. Log access control failures.
Cryptographic Failures
Sensitive data is exposed due to weak or missing encryption — in transit, at rest, or in backups.
Real-world example
A healthcare app stores patient passwords with MD5 (no salt). A database breach exposes all passwords, which are cracked within hours.
Impact
Credential theft, HIPAA violations, financial data exposure.
How to fix
Use TLS 1.2+ for all data in transit. Use bcrypt/Argon2 for passwords. Encrypt sensitive data at rest with AES-256. Never store sensitive data you don't need.
Injection
Untrusted data is sent to an interpreter (SQL, NoSQL, OS commands, LDAP) as part of a query or command, changing its intended execution.
Real-world example
A login form with input username=' OR '1'='1 bypasses authentication entirely in an app using raw SQL string concatenation.
Impact
Full database compromise, authentication bypass, data exfiltration, remote code execution.
How to fix
Use parameterized queries / prepared statements. Validate and sanitize all user input. Use an ORM. Apply least-privilege to database accounts.
Insecure Design
Security flaws in the design and architecture of the application — risks that no implementation can fully mitigate because the design itself is flawed.
Real-world example
A password reset flow uses security questions with answers easily found on social media (mother's maiden name, first pet). The design enables account takeover regardless of implementation quality.
Impact
Systemic, application-wide vulnerabilities that are expensive to remediate.
How to fix
Apply threat modeling during design. Use security design patterns. Define trust boundaries. Require security review before architectural decisions are finalized.
Security Misconfiguration
Missing or incorrect security configuration across any part of the stack — cloud, application server, framework, database, or custom code.
Real-world example
An AWS S3 bucket storing customer data has public read access enabled. Data is indexed by search engines within days.
Impact
Data exposure, unauthorized access, complete system compromise.
How to fix
Implement automated configuration management. Run CSPM tools. Remove default credentials. Disable unnecessary features. Keep everything patched.
Vulnerable and Outdated Components
Using software components (libraries, frameworks, OS packages) with known vulnerabilities.
Real-world example
The Equifax breach exposed 147 million records because Apache Struts (CVE-2017-5638) was not patched for two months after the patch was available.
Impact
Remote code execution, data breach, complete system takeover.
How to fix
Maintain a software bill of materials (SBOM). Monitor CVE databases. Use dependency scanning in CI/CD. Apply patches promptly.
Identification and Authentication Failures
Weaknesses in authentication and session management that allow attackers to compromise passwords, keys, session tokens, or exploit broken authentication.
Real-world example
An API uses predictable session tokens (sequential integers). An attacker iterates through token values to hijack active sessions.
Impact
Account takeover, identity theft, unauthorized data access.
How to fix
Enforce MFA. Use secure, random session tokens. Implement rate limiting on login attempts. Hash passwords with bcrypt/Argon2. Use established authentication frameworks.
Software and Data Integrity Failures
Code and infrastructure that does not protect against integrity violations — including insecure CI/CD pipelines and auto-update mechanisms.
Real-world example
The SolarWinds attack compromised the build pipeline, injecting malware into signed software updates distributed to 18,000+ organizations.
Impact
Supply chain compromise, backdoor installation, widespread malware distribution.
How to fix
Sign artifacts. Verify integrity of dependencies. Secure your CI/CD pipeline. Implement code review requirements. Use SBOM and dependency scanning.
Security Logging and Monitoring Failures
Insufficient logging, monitoring, and alerting that allows attacks to go undetected, uncontained, and unforensicated.
Real-world example
The average time to identify a breach is 204 days (IBM 2023). Inadequate logging means attackers persist in environments for months, exfiltrating data continuously.
Impact
Extended attacker dwell time, inability to contain breaches, compliance failures.
How to fix
Log all authentication events, access control failures, and admin actions. Ship logs to a centralized SIEM. Create alerts for suspicious patterns. Test your detection capabilities.
Server-Side Request Forgery (SSRF)
The application fetches a remote resource specified by user-supplied input, allowing attackers to coerce the server to make requests to internal or external systems.
Real-world example
The Capital One breach (2019) used SSRF to access the AWS EC2 metadata endpoint (169.254.169.254), stealing IAM credentials that allowed access to 100 million records.
Impact
Internal network access, cloud metadata theft, credential compromise, remote code execution.
How to fix
Validate and sanitize all user-supplied URLs. Use an allowlist for remote resource fetching. Disable HTTP redirections where not needed. Segment internal networks.
Scan your app for OWASP Top 10 vulnerabilities
Xentinel's DAST scans detect injection flaws, broken access control, misconfigurations, and more. Free scan, no signup.