LOGBOOK

HELP

Quiz Entry - updated: 2026.06.26

What is the OWASP Top 10 and what is it for?

A community-maintained list of the ten most critical web application security risks, updated every few years by the Open Web Application Security Project.

It is the closest thing the industry has to a "minimum bar" checklist for web-app security. The 2017 list (the version most courses still reference) was:

  1. A1 Injection (SQLi, OS-command, LDAP, …)
  2. A2 Broken Authentication
  3. A3 Sensitive Data Exposure
  4. A4 XML External Entities (XXE)
  5. A5 Broken Access Control
  6. A6 Security Misconfiguration
  7. A7 Cross-Site Scripting (XSS)
  8. A8 Insecure Deserialization
  9. A9 Using Components with Known Vulnerabilities
  10. A10 Insufficient Logging & Monitoring

A separate Mobile Top 10 exists for mobile-app risks.

Tip: It's a risk list, not a vulnerability list — entries describe categories of weakness, not specific CVEs. Pen-test reports and bug-bounty triage almost always reference it.

Link: https://owasp.org/www-project-top-ten/

From Quiz: ISF / Web Application Security Basics | Updated: Jun 26, 2026