← Back to Security

OWASP Top 10 Vulnerabilities: Complete Guide with Examples

The OWASP Top 10 is a regularly updated list of the most critical security risks facing web applications. These vulnerabilities account for the majority of real-world exploits and data breaches. Understanding each one—and how to prevent it—is essential for every developer and security professional.

1. Broken Access Control

Broken access control occurs when users can act outside their intended permissions. This is the #1 vulnerability in the 2021 OWASP Top 10, appearing in 94% of tested applications.

// VULNERABLE CODE
app.get('/api/user/:id/details', (req, res) => {
  const user = User.findById(req.params.id);
  res.json(user);
});

// SECURE CODE
app.get('/api/user/:id/details', (req, res) => {
  if (req.user.id !== req.params.id) {
    return res.status(403).json({ error: 'Unauthorized' });
  }
  const user = User.findById(req.params.id);
  res.json(user);
});

2. Cryptographic Failures

Use HTTPS/TLS for all data in transit. For data at rest, use bcrypt, Argon2, or scrypt for passwords. Use AES-256 for sensitive data encryption.

3. Injection

Always use parameterized queries to prevent SQL injection:

// SECURE CODE
const query = 'SELECT * FROM users WHERE username=? AND password=?';
db.query(query, [username, password], (err, results) => { ... });

4. Security Misconfiguration

Use infrastructure-as-code and automated security scanning. Apply principle of least privilege. Implement security headers:

res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'DENY');

5. Vulnerable and Outdated Components

Use tools like OWASP Dependency-Check, Snyk, or npm audit to identify vulnerable dependencies. Automate patching where possible.

6. Logging and Monitoring Failures

Log all authentication attempts, authorization failures, and access to sensitive data. Use centralized logging (ELK stack, Splunk, CloudWatch). Set up alerts for suspicious patterns.

7. Server-Side Request Forgery (SSRF)

Validate and whitelist URLs. Block access to private IP ranges. Use a URL allowlist instead of a blocklist.