Key Takeaways
- What is it? A list of the 10 most critical web application security risks, updated every few years by security experts.
- #1 Threat: "Broken Access Control" is currently the number one vulnerability. It means users can act like admins.
- Why it matters: If you are a developer, you MUST know this list to write secure code.
If you don't know the top 10 ways your application will be hacked, you cannot defend it.
The List (Latest Version)
1. Broken Access Control
A user changes the URL from `app.com/user/123` to `app.com/admin` and suddenly has admin rights. This is a failure to enforce permissions.
2. Cryptographic Failures
Previously known as "Sensitive Data Exposure." Storing passwords in plain text, using weak algorithms (MD5), or transmitting credit card numbers over HTTP.
3. Injection (SQLi, XSS)
Untrusted data is sent to an interpreter as part of a command. The attacker tricks the system into executing unwitting commands. "SQL Injection" is the classic example.
4. Insecure Design
A new category. It means the software was designed to be insecure. No amount of coding fixes can solve a flaw in the logic or architecture (e.g., using "security questions" like "Mother's maiden name" for password recovery).
5. Security Misconfiguration
Leaving default passwords enabled (`admin/admin`), open cloud storage, or verbose error messages that reveal stack traces.
6. Vulnerable and Outdated Components
Using a library (like Log4j) that has a known vulnerability. You must update your dependencies.
Identification and Authentication Failures
Formerly "Broken Authentication." Allowing brute force attacks, weak passwords ( "password123"), or not invalidating session IDs on logout.
Frequently Asked Questions (FAQ)
Deep dive into one of the most common attacks.
Read XSS Guide