Security
OWASP Top 10
A short, ranked list of the most critical web application security risks — and the habits that stop most of them from ever shipping.
✗ The problem
Apps keep shipping the same exploitable flaws
The OWASP Top 10 is the industry-standard list of the most critical web application risks — compiled from real breach data across thousands of organizations.
A01
Broken Access Control
A02
Cryptographic Failures
A03
Injection
A04
Insecure Design
A05
Security Misconfig
A06
Vulnerable Components
A07
Auth Failures
A08
Data Integrity Failures
A09
Logging Failures
A10
SSRF
Most real-world breaches trace back to this short list — not exotic zero-days.
✓ Anatomy of an attack + fix
A03: Injection — take SQL injection concretely
User input gets glued straight into a query string. An attacker supplies input that changes the query's meaning.
Vulnerable — string concatenation
db.query(
"SELECT * FROM users WHERE name='"
+ input +
"'"
);
// input = ' OR '1'='1
// → WHERE name='' OR '1'='1'
// → matches every row!
Fixed — parameterized query
db.query(
"SELECT * FROM users WHERE name=?",
[input]
);
// input is bound as DATA,
// never parsed as SQL syntax
// → payload stays a literal string
The fix isn't "escape better" — it's never let input become code.
✓ See it live
Try to break the login — then try to fix it
Toggle the mode, then log in with a normal name or the injection payload
' OR '1'='1. Simulated — no real database.
// query preview appears here
Pick a mode, then hit Login.
✓ Takeaway
Defense in depth, not one silver bullet
- Validate & parameterize every input — never build queries or commands by string concatenation.
- Least privilege + default-deny access control on every route and record.
- Hash secrets (bcrypt/argon2) — never store or log plaintext passwords.
- Patch dependencies — most "vulnerable component" breaches are years-old known CVEs.
- Log + monitor auth events; secure defaults on every config.
🎯 Relates: secure design is simple, least-privilege boundaries echo Interface Segregation; pairs with OAuth2 & safe login.
Back to all topics →