What is OWASP Top 10?
The OWASP Top 10 is a standard awareness document representing the most critical security risks to web applications. Understanding these isn't just for developers — as a penetration tester or blue team analyst, these are your primary hunting grounds.
A01 — Broken Access Control
What it is: Users can act outside their intended permissions. The most common finding in modern web apps.
Attack scenario:
GET /api/users/1/profile → returns your own profile ✓
GET /api/users/2/profile → returns another user's data ✗ (IDOR)
Detection (Blue Team): Look for sequential ID enumeration in access logs. Unexpected 200 responses for cross-user resource requests.
A02 — Cryptographic Failures
Sensitive data exposed due to weak or missing encryption. MD5 password hashes, HTTP instead of HTTPS, hardcoded API keys.
Red Team tip: Check robots.txt, JS source files, and git history for exposed secrets.
A03 — Injection
SQL, OS command, LDAP injection. Still #3 after decades.
-- Classic login bypass
SELECT * FROM users WHERE username='admin'--' AND password='anything'
Tools: sqlmap, ghauri, manual Burp Suite testing.
A04 — Insecure Design
Security was never considered during design. No threat modelling, no security requirements. This is an architectural problem — you can't patch your way out of it.
A05 — Security Misconfiguration
Default credentials, unnecessary features enabled, verbose error messages, missing security headers.
# Check security headers
curl -I https://target.com | grep -i "x-frame|content-security|strict-transport"
A06 — Vulnerable and Outdated Components
Using libraries with known CVEs. Check your dependencies.
npm audit
pip-audit
A07 — Identification and Authentication Failures
Weak passwords, missing MFA, broken session management, credential stuffing.
A08 — Software and Data Integrity Failures
Unsigned updates, insecure deserialization, CI/CD pipeline attacks (supply chain).
A09 — Security Logging and Monitoring Failures
If you can't detect it, you can't respond to it. Most breaches go undetected for 200+ days.
Blue Team checklist:
A10 — Server-Side Request Forgery (SSRF)
The application fetches a remote resource without validating the URL.
https://target.com/fetch?url=http://169.254.169.254/latest/meta-data/
→ AWS metadata service exposed
Takeaway
The OWASP Top 10 is a map. As a security specialist, your job is to know it from both sides — find these in the wild, and build detections that catch them. Neither red nor blue is complete without the other.