OWASP Top 10 2024: Complete Web Security Vulnerabilities Guide

Key Takeaways

OWASP Top 10 is the industry standard for web security risks
Broken Access Control is now #1 (moved from #5)
New categories: Insecure Design and SSRF
Each vulnerability requires defense-in-depth approach

The OWASP Top 10

A01: Broken Access Control A02: Cryptographic Failures A03: Injection A04: Insecure Design A05: Security Misconfiguration A06: Vulnerable Components A07: Auth Failures A08: Software Integrity Failures A09: Logging Failures A10: SSRF

The OWASP Top 10 is a standard awareness document representing the most critical security risks to web applications. Updated every 3-4 years based on real-world data, it guides security teams, developers, and auditors worldwide.

Broken Access Control

CRITICAL

Failures to properly enforce what authenticated users can do. Users can act outside their intended permissions, accessing other users' data or admin functionality.

Common Vulnerabilities:

IDOR: /api/users/123 → Change to /api/users/456 to access others
Forced browsing: Access /admin without admin role
Privilege escalation: Modify role in JWT/cookie
CORS misconfiguration: Allowing arbitrary origins

// IDOR - Insecure Direct Object Reference
GET /api/orders/12345  // Attacker changes to 12346

// Fix: Verify ownership
app.get('/api/orders/:id', (req, res) => {
  const order = getOrder(req.params.id);
  if (order.userId !== req.user.id) {
    return res.status(403).json({error: 'Forbidden'});
  }
  res.json(order);
});

Prevention

Deny access by default, implement access control centrally
Use UUIDs instead of sequential IDs
Verify ownership on every request
Disable directory listing, remove metadata files

Cryptographic Failures

CRITICAL

Failures related to cryptography that lead to exposure of sensitive data. Previously called "Sensitive Data Exposure."

Transmitting data in cleartext (HTTP, FTP, SMTP)
Using deprecated algorithms (MD5, SHA1, DES)
Weak or hard-coded encryption keys
Not enforcing encryption (missing TLS)
Storing passwords with unsalted/weak hashes

// BAD: MD5 for passwords
$hash = md5($password);

// GOOD: bcrypt with proper cost
$hash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);

// GOOD: Argon2id (preferred)
$hash = password_hash($password, PASSWORD_ARGON2ID);

Prevention

Classify data, apply controls by sensitivity
Encrypt all data in transit (TLS 1.2+) and at rest
Use bcrypt/Argon2id for passwords
Use authenticated encryption (AES-GCM)

Injection

CRITICAL

User-supplied data is sent to an interpreter as part of a command or query. Includes SQL, NoSQL, OS command, LDAP, and XSS injection.

// SQL Injection
$query = "SELECT * FROM users WHERE id = " . $_GET['id'];
// Attack: ?id=1 OR 1=1

// Prevention: Parameterized queries
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$_GET['id']]);

// Command Injection
system("ping " . $_GET['host']);
// Attack: ?host=127.0.0.1; rm -rf /

// Prevention: Whitelist validation
if (!filter_var($_GET['host'], FILTER_VALIDATE_IP)) die("Invalid");

Prevention

Use parameterized queries / prepared statements
Use ORMs (with caution for raw queries)
Validate and sanitize all input
Escape output based on context

Insecure Design

HIGH

New in 2021. Flaws in the design/architecture that cannot be fixed by proper implementation. Represents missing or ineffective security controls.

No rate limiting on sensitive operations
Password reset via security questions (guessable)
Unlimited file uploads without validation
No account lockout mechanism

Prevention

Threat modeling during design phase
Security requirements in user stories
Secure design patterns and reference architectures
Security unit and integration tests

Security Misconfiguration

HIGH

Missing security hardening, unnecessary features enabled, default credentials, verbose error messages, outdated settings.

// Common misconfigurations:
- Debug mode enabled in production
- Default admin:admin credentials
- Unnecessary HTTP methods (TRACE, PUT)
- Directory listing enabled
- Verbose error messages exposing stack traces
- Missing security headers (CSP, X-Frame-Options)
- Cloud storage buckets set to public

Prevention

Repeatable hardening process, automated
Remove unused features, frameworks, dependencies
Review cloud permissions (S3, Azure Blob)
Security headers: CSP, HSTS, X-Content-Type-Options

Vulnerable & Outdated Components

HIGH

Using libraries, frameworks, or other software modules with known vulnerabilities. Log4Shell (CVE-2021-44228) is a prime example.

# Check for vulnerabilities
npm audit
pip-audit
mvn dependency-check:check

# Keep dependencies updated
npm update
pip install --upgrade package
dependabot / renovate (automated)

Prevention

Maintain inventory of all components and versions
Subscribe to security bulletins (NVD, vendor alerts)
Use SCA tools (Snyk, Dependabot, OWASP Dependency-Check)
Only obtain components from official sources

Identification & Authentication Failures

HIGH

Weaknesses in authentication mechanisms: session management, credential stuffing, brute force, weak passwords.

Permits brute force attacks
Allows weak passwords ("password123")
Session IDs in URLs
Doesn't invalidate sessions on logout
Missing MFA on sensitive operations

Prevention

Implement MFA (TOTP, WebAuthn, hardware keys)
Block common passwords (check against breached lists)
Rate limit login attempts
Use secure session management (HttpOnly, Secure, SameSite)

Software & Data Integrity Failures

HIGH

New in 2021. Code and infrastructure that doesn't protect against integrity violations: insecure CI/CD, auto-update without verification, insecure deserialization.

// Insecure deserialization example (Java)
ObjectInputStream ois = new ObjectInputStream(userInput);
Object obj = ois.readObject(); // RCE if malicious payload!

// SolarWinds-style attack: compromised build pipeline
// CI/CD must be secured like production!

Prevention

Verify digital signatures on software/updates
Use SRI (Subresource Integrity) for CDN resources
Secure CI/CD pipeline (code review, signing)
Avoid deserializing untrusted data

Security Logging & Monitoring Failures

MEDIUM

Insufficient logging, detection, monitoring, and active response. Most breaches are detected by external parties, not internal monitoring.

Logins, failures, high-value transactions not logged
Logs only stored locally
No alerting thresholds or escalation
Penetration testing doesn't trigger alerts

Prevention

Log all auth, access control, server-side validation failures
Use centralized log management (SIEM)
Establish incident response and recovery plans
Ensure logs have integrity (append-only, tamper-evident)

Server-Side Request Forgery (SSRF)

HIGH

New in 2021. Application fetches a remote resource without validating user-supplied URL, allowing attackers to access internal services.

// Vulnerable code
$url = $_GET['url'];
$content = file_get_contents($url);

// Attack: ?url=http://169.254.169.254/latest/meta-data/ (AWS)
// Attack: ?url=http://localhost:6379/ (internal Redis)
// Attack: ?url=file:///etc/passwd

// Prevention: Allowlist URLs
$allowed = ['api.example.com', 'cdn.example.com'];
$host = parse_url($url, PHP_URL_HOST);
if (!in_array($host, $allowed)) die("Blocked");

Prevention

Allowlist permitted URLs/domains
Disable unused URL schemes (file://, gopher://)
Block requests to private IP ranges
Network segmentation for internal services

FAQ

How often is OWASP Top 10 updated?

Every 3-4 years based on real-world data from security firms, bug bounties, and CVE databases. Last major update: 2021.

Is the OWASP Top 10 enough for compliance?

It's a starting point, not a comprehensive security program. PCI DSS, SOC 2, and other standards require much more. Use OWASP ASVS for detailed requirements.

Where can I practice these vulnerabilities?

OWASP WebGoat, DVWA, PortSwigger Web Security Academy, HackTheBox, TryHackMe. All provide legal, safe environments.

Deep Dive into Each Vulnerability:
SQL Injection XSS Attacks SSRF Guide