What is the OWASP Top 10?

The OWASP Top 10 is a community-driven awareness document listing the ten most critical web application security risks. It is maintained by the Open Worldwide Application Security Project and is widely used as a baseline for secure development and testing.

Which edition does this reference cover?

It covers the 2021 edition, the current published version. It introduced new categories including Insecure Design (A04), Software and Data Integrity Failures (A08) and Server-Side Request Forgery (A10), and merged XSS into Injection.

What changed from the 2017 list?

Several categories were broadened and renamed. Cross-Site Scripting merged into Injection, Sensitive Data Exposure became the broader Cryptographic Failures, and three new categories were added: Insecure Design, Software and Data Integrity Failures, and SSRF.

Is fixing the Top 10 enough for security?

No. The Top 10 is an awareness baseline, not a complete standard. For thorough coverage use the OWASP Application Security Verification Standard (ASVS) and pair it with threat modelling, dependency scanning and penetration testing.

Does this tool scan my application?

No. It is a static offline reference and filter running entirely in your browser. It does not test, scan or connect to any application.

OWASP Top 10 Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

The ten most critical web application risks

The OWASP Top 10 is the most widely referenced awareness document in web application security. It ranks the categories of risk that cause the most damage, based on data from hundreds of organisations and a community survey. This reference lists all ten from the 2021 edition with a plain-language description, common real-world examples and a concrete mitigation for each.

How it works

Each entry is a category rather than a single bug. The list is ordered by a combination of exploitability, prevalence and impact, with A01 the highest priority:

A01 Broken Access Control
A02 Cryptographic Failures
A03 Injection
A04 Insecure Design
A05 Security Misconfiguration
A06 Vulnerable and Outdated Components
A07 Identification and Authentication Failures
A08 Software and Data Integrity Failures
A09 Security Logging and Monitoring Failures
A10 Server-Side Request Forgery (SSRF)

Use the categories as a checklist: for each one, confirm your application has the listed mitigations. The filter lets you find a specific risk by keyword across titles, descriptions and examples.

Tips and notes

Treat the list as a minimum baseline, then graduate to the OWASP ASVS for depth.
A01 Broken Access Control moved to the top in 2021 — audit authorisation first.
Map each finding from a scanner or pentest back to a Top 10 category for triage.
The list is refreshed every few years; check owasp.org for the newest edition.