OWASP Top 10 2021: The Complete Practitioner’s Guide

The OWASP Top 10 is the most referenced security risk list in web application security. Published by the Open Web Application Security Project, it identifies the ten most critical web application security risks based on industry data, CVE statistics, and community input. The 2021 edition introduced three new categories and reordered several others based on updated prevalence data.

This guide walks through all ten categories with concrete examples, testing approaches, and tools.

---

A01: Broken Access Control

Previously ranked #5, Broken Access Control jumped to the top in 2021 — found in 94% of tested applications.

What it is: Users can act outside their intended permissions. This includes accessing other users’ data, admin functionality, or performing actions they are not authorized for.

Examples:

• Changing ?user_id=1234 to ?user_id=1235 in a URL and seeing another user’s data (IDOR)
• Accessing /admin/panel without being an administrator
• Modifying JWT tokens to elevate privilege

Testing tools: Burp Suite (Autorize extension), manual IDOR fuzzing with Intruder, ffuf for endpoint enumeration

Fix: Enforce access controls server-side on every request. Deny by default. Use indirect object references (random UUIDs instead of sequential IDs).

---

A02: Cryptographic Failures

Formerly called “Sensitive Data Exposure.” The 2021 rename emphasizes the root cause — cryptographic weaknesses — rather than the symptom.

What it is: Sensitive data exposed due to missing or weak encryption. This includes data in transit and at rest.

Examples:

• HTTP instead of HTTPS (plaintext credentials in transit)
• MD5 or SHA-1 password hashes (trivially crackable)
• Hardcoded encryption keys in source code
• Weak cipher suites (RC4, DES, export-grade ciphers)

Testing tools: testssl.sh, Burp Suite SSL scanner, hashcat to verify hash strength

# Check TLS configuration
testssl.sh --full https://target.com

# Try to crack MD5 hash
hashcat -m 0 -a 0 hash.txt rockyou.txt

Fix: Use TLS 1.2+ with strong cipher suites. Hash passwords with bcrypt, Argon2, or scrypt. Never store sensitive data you do not need.

---

A03: Injection

SQL injection, NoSQL injection, OS command injection, LDAP injection, and SSTI all fall under this category.

What it is: Untrusted data is sent to an interpreter as part of a command or query.

SQL injection example:

-- Vulnerable query
SELECT * FROM users WHERE username = '$input'

-- Attacker input: ' OR '1'='1
-- Result: returns all users

OS command injection example:

# Vulnerable
import os
filename = request.args.get("file")
os.system(f"cat {filename}")  # Input: /etc/passwd; id

Testing tools: sqlmap, Burp Suite, commix for command injection

# Automated SQL injection testing
sqlmap -u "http://target.com/page?id=1" --dbs --batch

# Detect command injection
commix --url="http://target.com/page?cmd=test"

Fix: Parameterized queries (prepared statements) for SQL. Never pass user input to OS commands. Use allow-lists for acceptable input values.

---

A04: Insecure Design

New in 2021. This category addresses fundamental design flaws rather than implementation bugs.

What it is: Security was not considered during the design phase. The architecture itself is flawed, and no amount of implementation hardening can fix it.

Examples:

• Password reset via security questions (easily researched)
• No rate limiting on authentication endpoints by design
• Business logic that allows negative quantities in e-commerce (adding money to cart)

Testing approach: Threat modeling during design review (STRIDE, PASTA frameworks). Abuse case testing — think like an attacker about what the feature allows.

Fix: Threat modeling before coding. Secure design patterns. Reference architectures. Security user stories in Agile processes.

---

A05: Security Misconfiguration

The #1 finding in practice. Covers everything from default credentials to verbose error messages.

What it is: Missing hardening, unnecessary features enabled, default accounts unchanged, overly permissive cloud storage, misconfigured HTTP headers.

Examples:

• AWS S3 bucket publicly readable
• Default admin/admin credentials on a management interface
• Stack traces returned in HTTP error responses
• Missing security headers (CSP, X-Frame-Options, HSTS)

Testing tools:

# Check HTTP security headers
curl -I https://target.com | grep -i "x-frame\|content-security\|strict-transport"

# Scan for common misconfigurations
nikto -h http://target.com

# Check cloud storage
aws s3 ls s3://bucket-name --no-sign-request

Fix: Automated configuration review in CI/CD. Minimal attack surface — disable unused features. Regular audits with tools like ScoutSuite (AWS) or Prowler.

---

A06: Vulnerable and Outdated Components

What it is: Using components (libraries, frameworks, OS packages) with known vulnerabilities.

Examples:

• Log4Shell (CVE-2021-44228) — critical RCE in Log4j affecting millions of systems
• Running Apache Struts 2.3.x (affected by Equifax breach)
• Outdated jQuery with known XSS gadgets

Testing tools:

# OWASP Dependency Check
dependency-check.sh --project "myapp" --scan /path/to/app --format HTML

# Retire.js for JavaScript
retire --path /var/www/html

# Snyk CLI
snyk test

Fix: Software composition analysis (SCA) in CI/CD pipeline. Automated dependency updates (Dependabot, Renovate). Subscribe to vulnerability feeds (NVD, GitHub Advisories).

---

A07: Identification and Authentication Failures

Formerly “Broken Authentication.” Covers weaknesses in how applications confirm user identity.

What it is: Flawed authentication mechanisms — weak passwords, broken session management, missing MFA, credential stuffing vulnerability.

Examples:

• No account lockout on brute-force attempts
• Session tokens in URLs (visible in server logs and browser history)
• Weak session ID entropy (predictable tokens)
• Passwords stored in plaintext

Testing tools:

# Brute force login (authorized testing only)
hydra -L users.txt -P passwords.txt http-post-form \
  "/login:user=^USER^&pass=^PASS^:F=Invalid credentials"

# Test credential stuffing
ffuf -w credentials.txt -u http://target.com/login \
  -d "user=FUZZ&pass=FUZZ2" -H "Content-Type: application/x-www-form-urlencoded"

Fix: Enforce MFA. Implement account lockout with exponential backoff. Use cryptographically random session tokens. Invalidate sessions on logout.

---

A08: Software and Data Integrity Failures

New in 2021, encompassing insecure deserialization and CI/CD pipeline attacks.

What it is: Code and data loaded without integrity verification — unsigned updates, insecure deserialization, compromised CI/CD pipelines.

Examples:

• Auto-update mechanism that does not verify code signatures (SolarWinds-style supply chain attack)
• Java deserialization RCE (Apache Commons Collections gadget chains)
• npm packages with post-install scripts that steal environment variables

Java deserialization detection:

# Use ysoserial to generate test payloads
java -jar ysoserial.jar CommonsCollections6 "id" | base64

# Scan with Burp Deserialization Scanner extension

Fix: Verify digital signatures on all updates. Use SBOM (Software Bill of Materials). Pin dependency versions. Secure the CI/CD pipeline with code signing.

---

A09: Security Logging and Monitoring Failures

What it is: Insufficient logging, monitoring, and alerting that allows breaches to go undetected.

Examples:

• Login failures not logged
• Logs not monitored for anomalies
• No alerting on access to sensitive endpoints
• Logs stored on the same server they monitor (tampered after compromise)

Testing approach: Attempt a series of failed logins and then check whether logs captured them. Try accessing non-existent admin paths and verify alerts fire.

Fix: Log all authentication events, access control failures, and input validation failures. Send logs to a centralized, tamper-resistant SIEM. Set up alerts for brute force patterns and privilege escalation.

---

A10: Server-Side Request Forgery (SSRF)

New in 2021, added due to high severity relative to community survey data.

What it is: The server fetches a URL provided by the attacker, potentially exposing internal services and cloud metadata endpoints.

Examples:

# URL parameter that triggers server-side fetch
GET /fetch?url=http://192.168.1.1/admin

# Cloud metadata endpoint (AWS)
GET /fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

Testing approach:

# Use Burp Collaborator to detect blind SSRF
# Set url parameter to your Burp Collaborator URL
GET /fetch?url=https://abc123.burpcollaborator.net/

# Scan with nuclei SSRF templates
nuclei -u http://target.com -t ssrf/

Fix: Allow-list permitted URL schemes and destinations. Block requests to RFC 1918 and loopback ranges. Disable URL redirection following. Use a dedicated egress proxy.

---

Quick Reference Table

#	Category	Key Tools
A01	Broken Access Control	Burp Autorize, manual IDOR
A02	Cryptographic Failures	testssl.sh, hashcat
A03	Injection	sqlmap, commix
A04	Insecure Design	Threat modeling
A05	Security Misconfiguration	nikto, ScoutSuite
A06	Vulnerable Components	Dependency-Check, Snyk
A07	Auth Failures	Hydra, ffuf
A08	Integrity Failures	ysoserial, Burp
A09	Logging Failures	Manual audit, SIEM review
A10	SSRF	Burp Collaborator, nuclei

Summary

The OWASP Top 10 2021 is not just a list — it is a prioritization framework for application security programs. Understanding each category mechanically, knowing how to test for it, and understanding the remediation guidance will make you a more effective penetration tester and security engineer. Use this as a baseline checklist for every web application assessment you conduct.