← All Cheatsheets

Security

OWASP Top 10

2021 Edition · Web Application Security Risks · Quick Reference

🔓

A01 · Broken Access Control

#1 risk. Restrictions on authenticated users not properly enforced. Users act outside intended permissions — view others' data, access admin functions.

IDOR Example

GET /api/users/1234/orders ← change to 1235✓ Enforce: user.id == resource.owner_id

Deny by defaultServer-side auth checksJWT validationRate limit APILog failures

🔐

A02 · Cryptographic Failures

Formerly "Sensitive Data Exposure." Weak or missing encryption exposes passwords, PII, financial data in transit or at rest.

Anti-patterns

MD5/SHA1 for passwords ← brokenHTTP transmitting sensitive forms✓ bcrypt/Argon2 · TLS 1.2+ · AES-GCM

TLS everywhereArgon2/bcryptEncrypt at restNo secrets in codeHSTS headers

💉

A03 · Injection

User-supplied data sent to an interpreter as part of a command or query. Includes SQL, NoSQL, OS command, LDAP, XSS injection.

Classic SQLi

' OR '1'='1 → dumps entire table✓ Parameterized: WHERE id = ?

Parameterized queriesORM / prepared stmtsInput validationEscape outputWAF rules

🏗️

A04 · Insecure Design

New in 2021. Missing or ineffective security controls by design — not implementation bugs. No amount of patching fixes a broken design.

Design Failure Examples

□Credential recovery via "what's your pet's name?"
□No rate limiting on login = credential stuffing trivial
□Business logic allows negative quantities in checkout
□PII stored when anonymous IDs would suffice

Secure Design Practices

Threat modelingSecurity user storiesSTRIDE analysisAbuse case testingArchitecture reviewData minimisation

Framework

Design → Threat Model → Review→ Implement → Verify → Monitor

⚙️

A05 · Security Misconfiguration

90% of apps tested had misconfiguration. Default creds, verbose errors, unnecessary features, cloud storage public ACLs, missing security headers.

Default creds left onadmin/admin

Stack traces in prodLeaks internals

S3 bucket publicData exposure

CORS: Access-Allow: *XSS vector

Hardening runbooksIaC security scanningCIS BenchmarksRemove defaultsSecurity headers

📦

A06 · Vulnerable Components

Libraries, frameworks, OS components with known CVEs. Log4Shell, Equifax breach (Apache Struts), Heartbleed — all component vulns.

No SBOM / inventoryBlind spot

Unused dependenciesAttack surface

No auto-update policyDrift risk

SCA tools (Snyk/Trivy)SBOM generationDependabot/RenovateCVE monitoringRemove unused deps

🔑

A07 · Auth Failures

Weaknesses in auth and session management. Credential stuffing, brute force, weak passwords, exposed session IDs, broken logout.

Session Hijack

JSESSIONID in URL → logged, stolen✓ HttpOnly Secure cookies · short TTL

MFA enforcementBrute-force lockoutStrong password policySecure session IDsInvalidate on logout

🔗

A08 · Software & Data Integrity

Code and infrastructure without integrity verification. Insecure deserialization, CI/CD pipeline compromise, auto-updates without signature checks. SolarWinds is a real-world example.

Insecure deserializationRCE possible

Unsigned CI/CD artifactsSupply chain

CDN without SRIScript injection

Sign artifacts (Sigstore)SRI for CDN scriptsTrusted registriesAvoid pickle/Java serialSLSA framework

📋

A09 · Logging & Monitoring Failures

Without logging and monitoring, breaches cannot be detected. Average time to detect a breach: 207 days (IBM 2023).

What to Log

□All login attempts (success + failure)
□Access control failures & exceptions
□Admin actions & privilege escalations
□High-value transaction events

Centralised SIEMAlert on anomaliesStructured log formatLog integrityIncident response plan

🌐

A10 · Server-Side Request Forgery

App fetches a remote resource from attacker-supplied URL without validation. Can reach internal services, cloud metadata APIs, or bypass firewalls.

AWS Metadata Exfil

url=http://169.254.169.254/latest/meta-data/iam/security-credentials/✓ Block 169.254.x.x at egress · IMDSv2

Allowlist valid domainsBlock metadata IPsDisable URL redirectsEgress firewall rulesIMDSv2 on AWS

📊

Risk Overview

Exploitability vs Impact Score

A01 Access Control

9.5

A02 Cryptographic

A03 Injection

8.8

A04 Insecure Design

8.2

A05 Misconfiguration

7.8

A06 Vuln Components

7.5

A07 Auth Failures

7.3

A08 Data Integrity

A09 Logging

A10 SSRF

5.8

Key Statistics

94%

apps tested had broken access control

3.7M

CWEs mapped to injection alone

500K+

apps analysed for 2021 edition

207d

avg days to detect breach (IBM)

DevSecOps Quick Wins

SAST in CI pipelineDAST on stagingSCA for depsSecret scanningThreat modeling sprintsSecurity unit testsSBOM generationContainer image scanningIaC policy as code