Top 10 (2021)
The 10 most critical web application security risks.
Broken Access Control
Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data. CWE-22, CWE-284, CWE-285, CWE-639.
Cryptographic Failures
Failures related to cryptography (or lack thereof) often lead to exposure of sensitive data. Includes hardcoded keys, weak algorithms, missing TLS. CWE-259, CWE-327, CWE-331.
Injection
User-supplied data is not validated, filtered, or sanitized by the application. SQL, NoSQL, OS, LDAP injection. CWE-79, CWE-89, CWE-73.
Insecure Design
Risks related to design flaws and missing/ineffective control design. Threat modeling, secure design patterns. CWE-209, CWE-256, CWE-501.
Security Misconfiguration
Missing appropriate security hardening, improperly configured permissions, unnecessary features enabled. CWE-16, CWE-611.
Vulnerable and Outdated Components
Using components (libraries, frameworks, modules) with known vulnerabilities. CWE-1104.
Identification and Authentication Failures
Confirmation of user identity, authentication, and session management is critical. CWE-287, CWE-384, CWE-521.
Software and Data Integrity Failures
Code and infrastructure that does not protect against integrity violations — e.g., insecure CI/CD, unsigned updates. CWE-502, CWE-829.
Security Logging and Monitoring Failures
Insufficient logging, detection, monitoring, and active response. CWE-778.
Server-Side Request Forgery (SSRF)
Application fetches a remote resource without validating the user-supplied URL. CWE-918.