# OWASP Top 10 2021

The OWASP Top 10 is a standard awareness document for web application security.

Available versions: 2025, 2021

## Coverage

- Total rules: 0
- Critical rules: 0
- CWEs covered: 0

## Categories

### 1. Broken Access Control (A01:2021)

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of data.

- CWEs: 34
- Detection rules: 53
- Critical rules: 13

### 2. Cryptographic Failures (A02:2021)

Failures related to cryptography which often lead to sensitive data exposure. This was previously known as Sensitive Data Exposure.

- CWEs: 30
- Detection rules: 24
- Critical rules: 2

### 3. Injection (A03:2021)

Injection flaws occur when an application sends hostile data to an interpreter. This includes SQL, NoSQL, OS command, ORM, LDAP, and Expression Language injection.

- CWEs: 33
- Detection rules: 49
- Critical rules: 16

### 4. Insecure Design (A04:2021)

Insecure design is a broad category representing different weaknesses, expressed as missing or ineffective control design. This is distinct from implementation flaws.

- CWEs: 40
- Detection rules: 18
- Critical rules: 1

### 5. Security Misconfiguration (A05:2021)

The application might be vulnerable if it is missing appropriate security hardening or has improperly configured permissions on cloud services.

- CWEs: 20
- Detection rules: 18

### 6. Vulnerable and Outdated Components (A06:2021)

Components such as libraries, frameworks, and other software modules run with the same privileges as the application. If a vulnerable component is exploited, it can cause serious data loss.

- CWEs: 3
- Detection rules: 5

### 7. Identification and Authentication Failures (A07:2021)

Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks.

- CWEs: 22
- Detection rules: 37
- Critical rules: 8

### 8. Software and Data Integrity Failures (A08:2021)

Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations, including insecure deserialization.

- CWEs: 10
- Detection rules: 11
- Critical rules: 3

### 9. Security Logging and Monitoring Failures (A09:2021)

This category helps detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected.

- CWEs: 5
- Detection rules: 10

### 10. Server-Side Request Forgery (A10:2021)

SSRF flaws occur whenever a web application fetches a remote resource without validating the user-supplied URL.

- CWEs: 1
- Detection rules: 4