OWASP Top 10: the most common web app flaws
A guide to the OWASP Top 10 for teams that want to understand real risks — from broken access control, through injection, to SSRF.
The OWASP Top 10 is the most recognisable ranking of web application risks — a considered list of what most often goes wrong. It isn’t a checklist to “tick off”, but a map of the areas that return the most findings in penetration tests. Here are the most important ones, without the jargon.
Broken access control — number one
At the head of the current list sits Broken Access Control. That’s no accident — the most common real problem isn’t an exotic exploit, but the absence of a check on whether a given user is allowed to do what they’re asking. Accessing someone else’s data by changing an identifier, calling an admin function by hand, bypassing client-side restrictions — these are everyday findings.
The defensive rule: authorise server-side, for every operation, deny by default.
Injection and cryptographic failures
- Injection (SQL, commands, LDAP…) — user data reaches an interpreter as part of a command. The defence is parameterised queries and treating every input as untrusted.
- Cryptographic Failures — sensitive data without encryption, weak algorithms, passwords without proper hashing. Encrypt in transit and at rest, use proven libraries.
XSS, SSRF and misconfiguration
- Cross-Site Scripting (XSS) — an injected script runs in the victim’s browser. Contextual output encoding and a CSP policy defend against it.
- SSRF — the app fetches a URL supplied by the user and queries internal resources (e.g. cloud metadata). Restrict where the server is allowed to connect.
- Security Misconfiguration — default passwords, unnecessary services, verbose errors. It’s the same discipline we write about in our piece on cloud security.
How to use it in practice
The OWASP Top 10 works best not as a checklist, but as a common language between developers and security, and as a starting point for threat modelling. Woven into the development cycle (code review, testing, CI/CD gates) it lowers the cost of fixing — because the cheapest time to remove a flaw is before it reaches production. If you’d like to test your application against these risks, book a penetration test.
Sources and further reading: OWASP Top 10.