Task 1 of 2

What is OWASP?

OWASP (Open Worldwide Application Security Project) is a non-profit organisation that publishes free security research, tools, and standards. The most widely used output is the OWASP Top 10 — a list of the ten most critical web application security risks, updated every few years based on real vulnerability data from thousands of applications.

Security teams use it to prioritise what to test. Developers use it to know what to avoid. Employers expect you to know it. It is the baseline vocabulary of web security.

OWASP TOP 10 — 2021
A01
Broken Access Control
The #1 risk. Users reach data or actions they should not be allowed to — other users' accounts, admin panels, private files. Covers IDOR, missing auth checks, and privilege escalation.
Study this topic →
A02
Cryptographic Failures
Passwords stored in plaintext or MD5, sensitive data sent over HTTP, API keys in source code, weak JWT secrets. The root cause of most large data breaches.
Study this topic →
A03
Injection
User input reaches an interpreter without sanitisation — SQL, OS shell, LDAP, XML. The attacker's input becomes part of the command. Includes SQLi, XSS, and command injection.
Study this topic →
A04
Insecure Design
The code works exactly as written — but the design is wrong. Negative prices, skipping payment steps, trusting the client for values the server should calculate. No scanner finds these.
Study this topic →
A05
Security Misconfiguration
Default credentials never changed, debug mode left on in production, error pages showing stack traces, exposed .env files, unnecessary services open to the internet.
Study this topic →
A06
Vulnerable & Outdated Components
Every dependency is a potential attack surface. Log4Shell (CVSS 10.0) and the Equifax breach both happened because teams did not apply patches for known CVEs in their libraries.
Study this topic →
A07
Auth & Identification Failures
No rate limiting on login, weak passwords allowed, username enumeration, insecure password reset tokens, sessions not invalidated on logout. Attackers walk through the front door.
Study this topic →
A08
Software & Data Integrity Failures
CSRF — forging requests using the victim's session. Also covers insecure CI/CD pipelines, unverified software updates, and deserialisation of untrusted data.
Study this topic →
A09
Logging & Monitoring Failures
No record of failed logins, no alerts on brute force, no audit trail of who accessed what. Attackers operate for months — the average breach goes undetected for 194 days.
Study this topic →
A10
SSRF
The server fetches URLs on behalf of the user — including internal ones. Used to reach cloud metadata APIs (AWS credentials), internal admin panels, and services that should never be public.
Study this topic →
1

What does OWASP stand for?

2

SQL injection falls under which OWASP Top 10 category?

Answer all 2 questions to continue