A01:2021 – Broken Access Control
Risk Level: Critical
Description: Users can act outside their intended permissions, accessing unauthorized functionality or data.
Common Vulnerabilities:
• Bypassing access control checks by modifying URLs, internal application state, or HTML
• Viewing or editing someone else's account by providing its unique identifier
• Accessing API with missing access controls for POST, PUT and DELETE
• Elevation of privilege (acting as a user without being logged in, or as an admin when logged in as a user)
Quick Fixes:
• Deny by default – except for public resources
• Implement access control mechanisms once and re-use throughout application
• Enforce record ownership rather than accepting user can create, read, update or delete any record
• Log access control failures, alert admins when appropriate
• Rate limit API calls to minimize automated attack harm
// Example: Check user authorization before accessing resource
if (!currentUser.hasPermission('edit_post', postId)) {
return res.status(403).json({ error: 'Forbidden' });
}
A02:2021 – Cryptographic Failures
Risk Level: High
Description: Sensitive data exposed due to lack of encryption or weak cryptographic implementation.
Common Vulnerabilities:
• Transmitting data in clear text (HTTP, FTP, SMTP)
• Using old or weak cryptographic algorithms
• Default or weak crypto keys in use
• Improper certificate validation
• Passwords stored without proper hashing
Quick Fixes:
• Always use TLS/HTTPS for transmitting sensitive data
• Encrypt all data at rest containing sensitive information
• Use strong, up-to-date algorithms (AES-256, RSA-2048+)
• Hash passwords with bcrypt, scrypt, or Argon2
• Disable caching for responses containing sensitive data
// Example: Proper password hashing with bcrypt
const bcrypt = require('bcrypt');
const saltRounds = 10;
const hashedPassword = await bcrypt.hash(password, saltRounds);
A03:2021 – Injection
Risk Level: Critical
Description: Untrusted data sent to an interpreter as part of a command or query (SQL, NoSQL, OS commands, LDAP).
Common Vulnerabilities:
• SQL Injection (SQLi)
• NoSQL Injection
• OS Command Injection
• LDAP Injection
• Expression Language (EL) or OGNL Injection
Quick Fixes:
• Use parameterized queries (prepared statements)
• Use ORM frameworks that automatically escape inputs
• Validate and sanitize all user inputs
• Use whitelist input validation
• Escape special characters for specific interpreters
// BAD: Vulnerable to SQL injection
query = "SELECT * FROM users WHERE username = '" + username + "'";
// GOOD: Using parameterized query
query = "SELECT * FROM users WHERE username = ?";
stmt = connection.prepareStatement(query);
stmt.setString(1, username);
A04:2021 – Insecure Design
Risk Level: High
Description: Missing or ineffective control design, different from insecure implementation.
Quick Fixes:
• Establish secure development lifecycle with security professionals
• Use threat modeling for critical authentication, access control, business logic
• Integrate security language and controls into user stories
• Write unit and integration tests to validate all critical flows are resistant to threat model
• Segregate tier layers on system and network layers
A05:2021 – Security Misconfiguration
Risk Level: High
Description: Insecure default configurations, incomplete configurations, open cloud storage, misconfigured HTTP headers.
Common Vulnerabilities:
• Missing security hardening across application stack
• Unnecessary features enabled (ports, services, pages, accounts, privileges)
• Default accounts and passwords still enabled
• Error handling reveals stack traces or overly informative error messages
• Latest security features disabled or not configured securely
Quick Fixes:
• Remove or disable unused features, frameworks, documentation, samples
• Implement segmented application architecture
• Send security directives to clients (security headers)
• Automate verification of configurations in all environments
• Keep all frameworks, libraries, and dependencies updated
A06:2021 – Vulnerable and Outdated Components
Risk Level: High
Description: Using components with known vulnerabilities.
Quick Fixes:
• Remove unused dependencies, features, files, and documentation
• Continuously inventory versions of components (client and server-side)
• Monitor sources like CVE and NVD for vulnerabilities
• Only obtain components from official sources over secure links
• Monitor for unmaintained libraries and components
# Check for vulnerable npm packages
npm audit
# Update vulnerable packages
npm audit fix
# For severe vulnerabilities
npm audit fix --force
A07:2021 – Identification and Authentication Failures
Risk Level: Critical
Description: Weaknesses in authentication and session management.
Common Vulnerabilities:
• Permits automated attacks such as credential stuffing
• Permits brute force or other automated attacks
• Permits default, weak, or well-known passwords
• Uses weak credential recovery processes
• Exposes session identifiers in the URL
• Session IDs not properly invalidated
Quick Fixes:
• Implement multi-factor authentication
• Do not ship or deploy with default credentials
• Implement weak password checks
• Limit or delay failed login attempts (rate limiting)
• Use server-side, secure, built-in session managers
• Regenerate session IDs after login
A08:2021 – Software and Data Integrity Failures
Risk Level: High
Description: Code and infrastructure that does not protect against integrity violations.
Quick Fixes:
• Use digital signatures to verify software or data from expected source
• Ensure libraries and dependencies are from trusted repositories
• Use software supply chain security tools (OWASP Dependency Check, Snyk)
• Ensure proper segregation and configuration of CI/CD pipeline
• Ensure unsigned or unencrypted serialized data not sent to untrusted clients
A09:2021 – Security Logging and Monitoring Failures
Risk Level: Medium
Description: Insufficient logging, detection, monitoring, and response capabilities.
Quick Fixes:
• Log all login, access control, and server-side input validation failures
• Ensure logs are in format easily consumed by log management solutions
• Ensure high-value transactions have audit trail with integrity controls
• Establish effective monitoring and alerting
• Establish incident response and recovery plan
A10:2021 – Server-Side Request Forgery (SSRF)
Risk Level: High
Description: Web application fetches remote resource without validating user-supplied URL.
Quick Fixes:
• Sanitize and validate all client-supplied input data
• Enforce URL schema, port, and destination with positive allow list
• Do not send raw responses to clients
• Disable HTTP redirections
• Segment remote resource access functionality in separate networks
// Example: Validate URL before fetching
const allowedDomains = ['api.example.com', 'trusted.com'];
const url = new URL(userInput);
if (!allowedDomains.includes(url.hostname)) {
throw new Error('Domain not allowed');
}