The OWASP Top Ten is a standard awareness document from the Open Web Application Security Project (OWASP)that identifies the most critical security risks to web applications. It serves as a foundational guide for developers, security professionals, and organizations to understand and mitigate the most common and impactful vulnerabilities.

The latest version (OWASP Top Ten 2021) includes the following categories:

#	Category	Description
A01:2021 – Broken Access Control	Failures in enforcing proper authorization can let users act outside their intended permissions — e.g., accessing other users’ data or admin functions.
A02:2021 – Cryptographic Failures	Formerly “Sensitive Data Exposure.” Involves problems with encryption, data storage, and transmission (e.g., using weak or no encryption).
A03:2021 – Injection	Occurs when untrusted data is sent to an interpreter as part of a command or query — e.g., SQL, NoSQL, OS, or LDAP injection.
A04:2021 – Insecure Design	Involves flaws in the design phase — missing security controls, misuse of patterns, or poor threat modeling.
A05:2021 – Security Misconfiguration	The most common issue — insecure default settings, open cloud storage, verbose error messages, etc.
A06:2021 – Vulnerable and Outdated Components	Using software components (libraries, frameworks, etc.) with known vulnerabilities or no longer maintained.
A07:2021 – Identification and Authentication Failures	Formerly “Broken Authentication.” Includes weaknesses in authentication mechanisms, session management, and credential handling.
A08:2021 – Software and Data Integrity Failures	Issues with integrity checks — e.g., insecure CI/CD pipelines, unsigned code, or trust in external sources.
A09:2021 – Security Logging and Monitoring Failures	Lack of logging, monitoring, or alerting allows attackers to persist undetected.
A10:2021 – Server-Side Request Forgery (SSRF)	Occurs when an app fetches a remote resource based on unvalidated user input, letting attackers make requests to internal systems.