OWASP_MAP/ Industry standard

OWASP Top 10 — 2021

The most common root causes of real-world web breaches. Each card maps to a hands-on module where it exists, or a reference summary otherwise.

A01

critical

Broken Access Control

Facebook 2018 — access-token bug enabled account takeover of 50M users.

94% of apps tested had some form of broken access control.

Open BAC module

A02

high

Cryptographic Failures

Equifax 2017 — 147M records leaked due to TLS / patching failure.

Sensitive data exposure remains the #2 cause of regulatory fines.

Reference only

A03

critical

Injection

British Airways 2018 — Magecart skimmer (XSS) leaked 380K cards.

94% of tested apps had injection of some kind.

Open SQLi & CmdInj

A04

high

Insecure Design

Snapchat 2014 — find-friends API enumerable; 4.6M numbers leaked.

Design-level flaws can't be patched in code review.

See upload design

A05

high

Security Misconfiguration

Capital One 2019 — SSRF + over-permissioned IAM exposed 100M records.

90% of apps had some form of misconfiguration.

Reference only

A06

high

Vulnerable Components

Log4Shell 2021 — single dep enabled mass RCE across the internet.

Average enterprise app ships ~500 OSS deps.

Reference only

A07

critical

Identification & Auth Failures

Dunkin' 2019 — credential stuffing exposed thousands of accounts.

Stuffing is the #1 automated attack on login endpoints.

Open Auth module

A08

high

Software & Data Integrity

SolarWinds 2020 — signed but tampered update reached 18K orgs.

Supply-chain attacks grew 742% (2020-2023).

JWT integrity tab

A09

medium

Security Logging & Monitoring

Most breaches are discovered by external parties first.

Median dwell time in 2023: 16 days.

Reference only

A10

high

Server-Side Request Forgery

Capital One 2019 — SSRF read cloud metadata, escalated to S3.

SSRF is the fastest-growing OWASP category.

Reference only