OWASP Top 10 Security Risks
The industry-standard awareness document for web application and API security — with Precogs AI detection mapping.
Web Application Security Risks (2021)
Broken Access Control
Failures in access control enforcement that let users act outside their intended permissions. This includes bypassing access check...
Security Misconfiguration
Missing or incorrect security hardening across the application stack: default accounts/passwords, unnecessary features enabled, ov...
Software Supply Chain Failures
NEW in 2025. Expands the previous "Vulnerable and Outdated Components" to cover the entire software supply chain ecosystem: compro...
Cryptographic Failures
Failures related to cryptography that lead to exposure of sensitive data or system compromise. This includes transmitting data in ...
Injection
Application vulnerable to injection when user-supplied data is not validated, filtered, or sanitized. Includes SQL injection, NoSQ...
Insecure Design
Risks from missing or ineffective security controls at the design level. Unlike implementation bugs, insecure design cannot be fix...
Identification and Authentication Failures
Failures in authentication mechanisms: credential stuffing, brute force, weak passwords, session fixation, improper session invali...
Software and Data Integrity Failures
Code and infrastructure that does not protect against integrity violations. This includes software updates without integrity verif...
Security Logging and Monitoring Failures
Insufficient logging, detection, monitoring, and active response. Without these, breaches cannot be detected in a timely manner. M...
Mishandling of Exceptional Conditions
NEW in 2025. Emphasizes the importance of secure error handling and resilience. Weak or missing error handling can expose critical...
API Security Risks (2023)
Broken Object Level Authorization
APIs exposing endpoints that handle object identifiers without verifying the requesting user has permission to access the specific...
Broken Authentication
Authentication mechanisms in APIs are often implemented incorrectly, allowing attackers to compromise authentication tokens or exp...
Broken Object Property Level Authorization
APIs that expose or allow modification of object properties that should be restricted. Combines mass assignment and excessive data...
Unrestricted Resource Consumption
APIs that don't limit the number of requests, payload sizes, or resources consumed per client. Missing rate limiting, no paginatio...
Broken Function Level Authorization
APIs with complex access control policies where administrative or privileged functions are accessible to regular users. Often invo...
Unrestricted Access to Sensitive Business Flows
APIs that expose sensitive business flows (purchasing, commenting, voting, booking) without protecting against excessive automated...
Server Side Request Forgery
SSRF in the context of APIs — webhook URLs, file import from URL, custom integrations, and URL preview features that fetch user-pr...
Security Misconfiguration
Misconfigured API security settings: missing security headers, unnecessary HTTP methods enabled, permissive CORS, verbose error me...
Improper Inventory Management
Organizations losing track of their API inventory: deprecated API versions still active, unpatched endpoints, debug endpoints expo...
Unsafe Consumption of APIs
Developers trusting data received from third-party APIs without validation. When integrating external APIs, developers often apply...
Detect OWASP Risks Automatically
Precogs AI maps every vulnerability to OWASP categories. Get instant visibility into your OWASP risk posture.