OWASP Top 10 for 2024: What Every Dev Team Must Know

What is OWASP and Why Does it Matter?

The Open Worldwide Application Security Project (OWASP) publishes a list of the ten most critical security risks to web applications. Updated regularly based on real-world breach data, the OWASP Top 10 is the starting point for any serious security testing programme.

Every QA engineer working on web applications should be familiar with these risks — not just security specialists. Many of these vulnerabilities can be found with basic testing techniques.

The OWASP Top 10 — Explained and How to Test Each

1. Broken Access Control

Users are able to access resources or perform actions they should not be permitted to. This is the most commonly found vulnerability. Test by logging in as a low-privilege user and attempting to access admin-only endpoints, other users data, or perform restricted actions.

2. Cryptographic Failures

Sensitive data transmitted or stored without adequate encryption. Check that all sensitive data is transmitted over HTTPS, passwords are stored as hashes (not plaintext), and sensitive data is not exposed in logs, URLs, or error messages.

3. Injection

Untrusted data is sent to an interpreter as part of a command or query. SQL injection is the classic example. Test all input fields with basic injection payloads using OWASP ZAP or Burp Suite. Look for error messages that expose database structure or unexpected application behaviour.

4. Insecure Design

Security flaws built into the architecture, not just the implementation. Review workflows for missing rate limiting, lack of account lockout on failed login attempts, or business logic that can be manipulated (e.g., negative quantities in a shopping cart).

5. Security Misconfiguration

Default credentials left enabled, unnecessary features turned on, verbose error messages exposed. Check for default admin credentials, exposed configuration files, and verbose stack traces in error responses.

6. Vulnerable and Outdated Components

Using libraries or frameworks with known vulnerabilities. Run dependency audits regularly. Tools like npm audit, OWASP Dependency Check, or Snyk can identify vulnerable components automatically.

7. Identification and Authentication Failures

Weak authentication mechanisms that allow account compromise. Test password policies, session timeout behaviour, account lockout after failed attempts, and whether session tokens are properly invalidated on logout.

8. Software and Data Integrity Failures

Code and data that is not protected against integrity violations. Verify that software updates, critical data, and CI/CD pipelines use digital signatures and integrity checks.

9. Security Logging and Monitoring Failures

Insufficient logging means breaches go undetected. Verify that failed logins, access control failures, and input validation failures are logged with enough detail to reconstruct what happened.

10. Server-Side Request Forgery (SSRF)

The server can be tricked into making requests to internal resources. Test any feature that takes a URL as input — image upload from URL, webhook configuration, etc. — by providing internal IP addresses or localhost URLs.

Getting Started with Security Testing

You do not need to be a security expert to start. OWASP ZAP is a free, powerful tool that can automatically scan your application for many of these vulnerabilities. Burp Suite Community Edition is excellent for manual testing and intercepting requests.

Start with automated scanning on a test environment, review the findings with your development team, and build a process for including security checks in every release cycle.