Below is a clear, practitioner-oriented breakdown of the OWASP Top 10 Web Application Security Risks (latest major revision: OWASP Top 10 – 2021, which is still the current standard as of 2025).
I’ll cover what each risk is, why it matters, common attack examples, and practical mitigations—useful for both defensive (Blue Team) and offensive (Red Team / pentesting) perspectives.
1. A01: Broken Access Control
What it is:
Failures that allow users to act outside their intended permissions.
Why it matters:
Access control flaws are the most common and most damaging web app vulnerabilities.
Common examples:
- IDOR (Insecure Direct Object Reference):
/api/users/1234 - Horizontal privilege escalation
- Vertical privilege escalation (user → admin)
- Missing authorization checks on API endpoints
Attack scenario:
GET /api/invoices/9876
Attacker changes 9876 to another user’s invoice ID.
Mitigations:
- Enforce server-side authorization on every request
- Use deny-by-default policies
- Implement role-based access control (RBAC)
- Log and alert on access control failures
2. A02: Cryptographic Failures
(formerly Sensitive Data Exposure)
What it is:
Improper protection of sensitive data in transit or at rest.
Why it matters:
Leads directly to data breaches, credential theft, and compliance violations.
Common examples:
- Plaintext passwords
- Weak hashing (MD5, SHA1)
- No HTTPS or weak TLS
- Hardcoded secrets
Attack scenario:
- Attacker intercepts traffic over HTTP
- Dumps password hashes and cracks them offline
Mitigations:
- Use TLS 1.2+ everywhere
- Hash passwords with bcrypt / Argon2
- Encrypt sensitive data at rest
- Proper key management (HSM, KMS)
3. A03: Injection
What it is:
Untrusted data is interpreted as code by an interpreter.
Why it matters:
Injection often leads to full database compromise or RCE.
Common types:
- SQL Injection
- NoSQL Injection
- Command Injection
- LDAP Injection
Attack scenario (SQLi):
' OR 1=1--
Mitigations:
- Use parameterized queries
- Avoid dynamic query construction
- Input validation (allow-lists)
- ORM frameworks (used correctly)
4. A04: Insecure Design
What it is:
Architectural or design flaws that cannot be fixed with simple code changes.
Why it matters:
Secure coding cannot fix insecure architecture.
Common examples:
- No rate limiting
- No threat modeling
- Trusting client-side validation
- Missing business logic controls
Attack scenario:
- Unlimited password attempts → credential stuffing
Mitigations:
- Perform threat modeling
- Use secure design patterns
- Abuse-case testing
- Define security requirements early
5. A05: Security Misconfiguration
What it is:
Improperly configured frameworks, servers, or platforms.
Why it matters:
Misconfigurations are easy to exploit and extremely common.
Common examples:
- Default credentials
- Stack traces exposed
- Open admin panels
- Directory listing enabled
Attack scenario:
- Attacker finds
/adminor/phpinfo.php
Mitigations:
- Harden systems (CIS benchmarks)
- Disable unused features
- Automated configuration audits
- Secure deployment pipelines
6. A06: Vulnerable and Outdated Components
What it is:
Using libraries or components with known vulnerabilities.
Why it matters:
Many breaches occur via third-party dependencies.
Common examples:
- Log4Shell (Log4j)
- Old jQuery with XSS
- Outdated CMS plugins
Attack scenario:
- Exploit known CVE with public PoC
Mitigations:
- Maintain an SBOM
- Regular dependency updates
- Use tools like:
- OWASP Dependency-Check
- Snyk
- Dependabot
7. A07: Identification and Authentication Failures
What it is:
Weak authentication or session management.
Why it matters:
Allows account takeover and impersonation.
Common examples:
- Weak passwords
- No MFA
- Session fixation
- JWT misconfiguration
Attack scenario:
- Brute-force login without rate limiting
Mitigations:
- Enforce strong password policies
- Implement MFA
- Secure session cookies (HttpOnly, Secure)
- Proper JWT validation
8. A08: Software and Data Integrity Failures
What it is:
Failure to protect integrity of code and data.
Why it matters:
Leads to supply chain attacks.
Common examples:
- Unsigned updates
- Insecure CI/CD pipelines
- Deserialization flaws
Attack scenario:
- Malicious dependency injected during build
Mitigations:
- Code signing
- Secure CI/CD pipelines
- Validate serialized data
- Use trusted repositories only
9. A09: Security Logging and Monitoring Failures
What it is:
Insufficient logging and alerting.
Why it matters:
Attacks go undetected or are discovered too late.
Common examples:
- No login failure logs
- No alerting on privilege escalation
- Logs not protected
Attack scenario:
- Attacker maintains persistence for months unnoticed
Mitigations:
- Centralized logging (SIEM)
- Log authentication and authorization events
- Real-time alerting
- Incident response plans
10. A10: Server-Side Request Forgery (SSRF)
What it is:
Server makes unauthorized requests on behalf of attacker.
Why it matters:
Can lead to cloud metadata compromise and internal network access.
Common examples:
- Fetching URLs without validation
- Accessing
169.254.169.254(cloud metadata)
Attack scenario:
POST /fetch?url=http://localhost/admin
Mitigations:
- URL allow-listing
- Block internal IP ranges
- Disable unnecessary outbound requests
- Network segmentation
OWASP Top 10 Summary Table
| Rank | Category |
|---|---|
| A01 | Broken Access Control |
| A02 | Cryptographic Failures |
| A03 | Injection |
| A04 | Insecure Design |
| A05 | Security Misconfiguration |
| A06 | Vulnerable & Outdated Components |
| A07 | Identification & Authentication Failures |
| A08 | Software & Data Integrity Failures |
| A09 | Logging & Monitoring Failures |
| A10 | SSRF |
How This Is Used in Practice
- Developers: Secure coding & design baseline
- Pentesters: Test case foundation
- Blue Teams: Control prioritization
- Compliance: Mapping to ISO 27001, PCI-DSS, SOC 2
Below is a practical alignment of OWASP Top 10 (2021) with MITRE ATT&CK (Enterprise).
This mapping is widely used in threat modeling, purple-team exercises, and SOC detection engineering to bridge application-layer risk with adversary behavior.
⚠️ Important:
OWASP describes what is vulnerable; MITRE ATT&CK describes how adversaries operate.
The mapping is therefore many-to-many, not 1:1.
OWASP Top 10 ↔ MITRE ATT&CK Mapping
A01 – Broken Access Control
Core Risk: Unauthorized actions and privilege escalation
MITRE ATT&CK Techniques
- T1068 – Exploitation for Privilege Escalation
- T1078 – Valid Accounts
- T1098 – Account Manipulation
- T1548 – Abuse Elevation Control Mechanism
Real-World Flow
- Attacker exploits IDOR
- Accesses admin-only endpoints
- Performs privilege escalation
Detection Focus
- Unusual object access patterns
- Privilege changes without admin action
- Cross-account data access
A02 – Cryptographic Failures
Core Risk: Exposure of credentials or sensitive data
MITRE ATT&CK Techniques
- T1555 – Credentials from Password Stores
- T1003 – OS Credential Dumping
- T1040 – Network Sniffing
- T1110 – Brute Force
Real-World Flow
- Intercept plaintext credentials
- Crack weak hashes
- Reuse credentials for lateral access
Detection Focus
- TLS downgrade attempts
- Excessive authentication failures
- Credential reuse anomalies
A03 – Injection
Core Risk: Interpreter abuse leading to DB or OS compromise
MITRE ATT&CK Techniques
- T1190 – Exploit Public-Facing Application
- T1059 – Command and Scripting Interpreter
- T1505 – Server Software Component Abuse
Real-World Flow
- SQLi in login form
- Dump credentials
- RCE via stacked queries
Detection Focus
- SQL syntax errors in logs
- Unexpected shell execution
- WAF rule triggers
A04 – Insecure Design
Core Risk: Business logic and architectural weaknesses
MITRE ATT&CK Techniques
- T1499 – Endpoint Denial of Service
- T1110 – Brute Force
- T1213 – Data from Information Repositories
Real-World Flow
- Abuse missing rate limits
- Enumerate accounts
- Mass data harvesting
Detection Focus
- High-frequency request patterns
- Logic abuse (valid requests, malicious intent)
- API misuse metrics
A05 – Security Misconfiguration
Core Risk: Default or insecure settings
MITRE ATT&CK Techniques
- T1580 – Cloud Infrastructure Discovery
- T1082 – System Information Discovery
- T1190 – Exploit Public-Facing Application
Real-World Flow
- Discover open admin interfaces
- Access debug endpoints
- Extract secrets/configs
Detection Focus
- Access to admin/debug endpoints
- Configuration file exposure attempts
- Unexpected service enumeration
A06 – Vulnerable & Outdated Components
Core Risk: Known CVEs exploited
MITRE ATT&CK Techniques
- T1190 – Exploit Public-Facing Application
- T1210 – Exploitation of Remote Services
- T1505.003 – Web Shell
Real-World Flow
- Exploit known CVE (e.g., Log4Shell)
- Deploy web shell
- Persistence achieved
Detection Focus
- Known exploit signatures
- Abnormal child processes
- Web shell indicators
A07 – Identification & Authentication Failures
Core Risk: Account takeover
MITRE ATT&CK Techniques
- T1110 – Brute Force
- T1078 – Valid Accounts
- T1539 – Steal Web Session Cookie
Real-World Flow
- Credential stuffing
- Session hijacking
- Account takeover
Detection Focus
- Geo-impossible logins
- MFA bypass attempts
- Session reuse patterns
A08 – Software & Data Integrity Failures
Core Risk: Supply chain compromise
MITRE ATT&CK Techniques
- T1195 – Supply Chain Compromise
- T1059 – Command Execution
- T1608 – Stage Capabilities
Real-World Flow
- Malicious dependency injected
- Code executes during build
- Backdoor deployed
Detection Focus
- Unsigned builds
- Unexpected CI pipeline changes
- Integrity check failures
A09 – Logging & Monitoring Failures
Core Risk: Undetected compromise
MITRE ATT&CK Techniques
- T1562 – Impair Defenses
- T1070 – Indicator Removal on Host
- T1027 – Obfuscated/Encrypted Payloads
Real-World Flow
- Disable logging
- Clear logs
- Persist undetected
Detection Focus
- Gaps in telemetry
- Sudden log volume drops
- Disabled security agents
A10 – Server-Side Request Forgery (SSRF)
Core Risk: Internal service abuse
MITRE ATT&CK Techniques
- T1190 – Exploit Public-Facing Application
- T1046 – Network Service Discovery
- T1552 – Unsecured Credentials
Real-World Flow
- SSRF to cloud metadata service
- Extract IAM credentials
- Pivot into cloud environment
Detection Focus
- Requests to metadata IPs
- Internal-only endpoint access
- Abnormal outbound traffic
Visual Summary (Condensed)
| OWASP Category | MITRE ATT&CK Tactics |
|---|---|
| Access Control | Privilege Escalation, Credential Access |
| Crypto Failures | Credential Access, Collection |
| Injection | Initial Access, Execution |
| Insecure Design | Collection, Impact |
| Misconfiguration | Discovery, Initial Access |
| Vulnerable Components | Initial Access, Persistence |
| Auth Failures | Credential Access |
| Integrity Failures | Supply Chain, Execution |
| Logging Failures | Defense Evasion |
| SSRF | Discovery, Lateral Movement |
How to Use This Mapping Practically
🔵 Blue Team
- Map OWASP risks → detection rules
- Prioritize logging for ATT&CK techniques
- Improve SIEM correlation
🔴 Red Team
- Convert OWASP findings into ATT&CK chains
- Report findings in ATT&CK language
- Increase exec-level clarity
🟣 Purple Team
- Design attack simulations
- Validate SOC coverage
- Measure MTTD/MTTR
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security
At DISC InfoSec, we help organizations navigate this landscape by aligning AI risk management, governance, security, and compliance into a single, practical roadmap. Whether you are experimenting with AI or deploying it at scale, we help you choose and operationalize the right frameworks to reduce risk and build trust. Learn more at DISC InfoSec.
- OWASP Top 10 Web Application Security Risks ↔ MITRE ATT&CK Mapping
- AI Model Risk Management: A Five-Stage Framework for Trust, Compliance, and Control
- Why ISO 42001 Matters: Governing Risk, Trust, and Accountability in AI Systems
- From Concept to Control: Why AI Boundaries, Accountability, and Responsibility Matter
- Why Defining Risk Appetite, Risk Tolerance, and Risk Capacity Is Essential to Effective Risk Management
