Skip to main content
CoursesBlogResourcesQuiz
Sign InStart Free
Security Testing

OWASP Top 10

A regularly updated list of the 10 most critical web application security risks, maintained by the OWASP foundation.

Full definition

OWASP (Open Web Application Security Project) publishes the Top 10, a widely-referenced list of the most critical web application security risks.

OWASP Top 10 (2021):

  1. 1.A01: Broken Access Control — Users accessing data/functions they shouldn't
  2. 2.A02: Cryptographic Failures — Weak encryption, exposed sensitive data
  3. 3.A03: Injection — SQL injection, XSS, command injection
  4. 4.A04: Insecure Design — Fundamental design flaws
  5. 5.A05: Security Misconfiguration — Default configs, unnecessary features
  6. 6.A06: Vulnerable Components — Using outdated libraries with known vulnerabilities
  7. 7.A07: Authentication Failures — Weak passwords, missing MFA, session issues
  8. 8.A08: Data Integrity Failures — Trusting untrusted data, insecure deserialization
  9. 9.A09: Logging/Monitoring Failures — No detection of breaches
  10. 10.A10: SSRF — Server making requests to unintended locations

Every QA engineer should know the basics of each category and be able to perform basic security checks during functional testing:

  • Try SQL injection in input fields
  • Check that unauthorized users can't access other users' data
  • Verify sensitive data is encrypted
  • Check for XSS in user-generated content

Related terms

Security TestingPenetration TestingVulnerability

Learn more about owasp top 10 in practice

Web Testing track

Explore courses
Back to QA Glossary