OWASP Top 10 Vulnerabilities Explained with Real Examples

1. Broken Access Control

• What it is: Broken access control occurs when users can access unauthorized data or perform functions beyond their permissions by manipulating URLs, IDs, or authentication tokens.
• Real Example: An e-commerce customer changes their order ID in the URL from /order/1234 to /order/1235 and successfully views another customer’s complete order details, including personal address and payment information.
• Impact: Data breaches, unauthorized modifications, privilege escalation, and exposure of sensitive customer information.
• Prevalence: This vulnerability is found in approximately 94% of applications tested, making it the most common security risk.

2. Cryptographic Failures (formerly Sensitive Data Exposure)

• What it is: Weak encryption, missing encryption, or improper implementation of cryptographic controls that expose sensitive data during transmission or storage.
• Real Example: A healthcare portal transmits patient medical records over HTTP instead of HTTPS. An attacker on the same public WiFi network intercepts network traffic and reads confidential health information, including diagnoses and treatment plans.
• Impact: Identity theft, financial fraud, privacy violations, and substantial regulatory fines under GDPR or India’s Digital Personal Data Protection Act. While businesses face these risks, individuals should also understand how to protect their personal data from hackers.
• Prevalence: Cryptographic failures are detected in approximately 80% of applications during security assessments.

3. Injection (SQL, NoSQL, LDAP, OS Command)

• What it is: Malicious code or commands inserted through user input fields when applications fail to properly validate, sanitize, or escape data.
• Real Example: A hacker enters ' OR '1'='1 into a login form’s password field. This SQL injection statement bypasses authentication logic and grants immediate access to the admin dashboard without requiring valid credentials.
• Impact: Complete database compromise, unauthorized data access, data deletion, server takeover, and potential deployment of malware.
• Prevalence: Injection remains the most common attack vector, found in approximately 70% of web applications tested globally.

4. Insecure Design

• What it is: Fundamental security flaws embedded in the application architecture and design phase, representing missing or ineffective security controls rather than implementation bugs.
• Real Example: A mobile banking app allows unlimited login attempts without rate limiting or account lockout mechanisms. Hackers deploy automated bots that try millions of password combinations until they successfully breach customer accounts.
• Impact: Business logic bypass, fraud, system abuse, and exploitation that cannot be fixed through patching alone.
• New in 2021: This category emphasizes the critical importance of integrating security considerations from the initial design phase.

5. Security Misconfiguration

• What it is: Improperly configured security settings, unnecessary features enabled, default passwords unchanged, or verbose error messages revealing system information.
• Real Example: A company’s web server uses default admin/admin credentials and displays detailed stack traces when errors occur, revealing the exact framework version. Attackers exploit publicly known vulnerabilities specific to that outdated version.
• Impact: Full system compromise, information leakage, unauthorized access, and potential lateral movement within networks.
• Prevalence: Security misconfigurations are discovered in approximately 90% of applications during penetration testing engagements.

6. Vulnerable and Outdated Components

• What it is: Using software libraries, frameworks, plugins, or dependencies with known security flaws or missing security patches.
• Real Example: A WordPress site runs a three-year-old plugin with a critical remote code execution vulnerability. Automated bots continuously scan the internet, identify this vulnerable site, and inject cryptocurrency mining malware that consumes server resources.
• Impact: Remote code execution, complete website takeover, data theft, and serving malware to legitimate visitors.
• Common in: Research indicates 84% of applications use at least one component with known vulnerabilities.

7. Identification and Authentication Failures

• What it is: Weak password policies, missing multi-factor authentication, improper session management, or flawed credential recovery mechanisms.
• Real Example: A social media platform allows weak passwords like password123 and stores session tokens directly in URLs. An attacker uses credential stuffing attacks with previously leaked passwords and hijacks thousands of user accounts within hours.
• Impact: Account takeover, identity theft, unauthorized access to sensitive resources, and potential lateral movement.

• Prevention: Implementing multi-factor authentication can reduce account compromise risk by 99.9% according to industry research.

8. Software and Data Integrity Failures

• What it is: Code or data modified without proper verification, insecure CI/CD pipelines, or applications accepting updates from untrusted sources.
• Real Example: An application automatically downloads and installs updates from an unsecured update server. Hackers compromise the update distribution server and distribute a malicious version containing backdoors that install on all client systems.
• Impact: Supply chain attacks, widespread compromise across entire user bases, and persistent backdoor access.
• New in 2021: This category specifically addresses modern threats related to CI/CD pipeline security and software supply chains.

9. Security Logging and Monitoring Failures

• What it is: Insufficient logging, monitoring, and alerting mechanisms that prevent timely detection of security breaches and incidents.
• Real Example: A company’s system suffers a data breach but maintains minimal security logs. The attacker operates completely undetected for eight months, continuously exfiltrating customer data. When finally discovered, there’s insufficient forensic evidence to determine breach scope or methodology.
• Impact: Extended breach duration, regulatory penalties, inability to conduct forensic investigations, and unknown scope of compromise.
• Statistics: Industry research shows the average data breach goes undetected for 212 days before discovery.

10. Server-Side Request Forgery (SSRF)

• What it is: Exploiting application functionality to force the server to make HTTP requests to unintended internal or external locations.
• Real Example: An image upload feature accepts image URLs as input. An attacker provides an internal URL like http://localhost/admin forcing the server to fetch internal admin pages and expose them externally, bypassing network security controls.
• Impact: Internal network scanning, cloud metadata exposure (AWS credentials), access to internal systems, and bypassing firewalls.
• New in 2021: SSRF attacks have become increasingly common as organizations migrate to cloud infrastructure.