Skip to content

OWASP Top Ten Web Application Security Risks

This section details the OWASP Top Ten Web Application Security Risks. [1]


Summary

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications, updated periodically by the Open Worldwide Application Security Project (OWASP) community.

Focus Areas

The framework categorizes vulnerabilities broadly to encompass overarching trends. In the latest edition, the list shifted towards root-cause categories:

  1. A01: Broken Access Control: Failures in enforcing user permissions and restrictions.
  2. A02: Cryptographic Failures: Inadequate protection of sensitive data in transit and at rest.
  3. A03: Injection: Flaws where untrusted data is sent to an interpreter as part of a command.
  4. A04: Insecure Design: Risks related to architectural and design flaws rather than implementation defects.
  5. A05: Security Misconfiguration: Insecure default settings, open cloud storage, or misconfigured HTTP headers.
  6. A06: Vulnerable and Outdated Components: Exploiting systems with known vulnerable dependencies.
  7. A07: Identification and Authentication Failures: Weaknesses allowing attackers to compromise passwords or session tokens.
  8. A08: Software and Data Integrity Failures: Making assumptions related to software updates, critical data, and CI/CD pipelines.
  9. A09: Security Logging and Monitoring Failures: The inability to detect or respond to an active breach.
  10. A10: Server-Side Request Forgery (SSRF): Flaws occurring when a web application fetches a remote resource without validating the user-supplied URL.


Critique

The standard OWASP Top 10 remains essential because every web-based LLM application or Agentic interface is, ultimately, still a web application. However, it does not account for the probabilistic and non-deterministic nature of GenAI. While injection (A03) conceptually overlaps with Prompt Injection, the traditional mitigation strategies for SQLi or XSS (parameterization, strict escaping) are structurally incompatible with natural language LLM interfaces.


References

[1] “OWASP Top Ten Web Application Security Risks OWASP Foundation.” https://owasp.org/www-project-top-ten/.