A1: Broken Access Control
Users can perform actions or access data beyond their permissions, often by simply manipulating a URL or an API request. Attackers can exploit these flaws to view sensitive files, modify other users' data, or change access rights.
Prevention:
Enforce authorization checks on the server for every single request to secure resources.
A2: Cryptographic Failures
Sensitive data, like passwords or user details, is stored or transmitted in plaintext or with weak, outdated encryption. This often leads to exposure if the database is compromised, as passwords were not properly hashed and salted.
Prevention:
Hash and salt all passwords using a strong algorithm like bcrypt. Use TLS for data in transit.
A3: Injection
User-supplied data is not sanitized and is passed directly to an interpreter (like a database), allowing malicious code execution. Flaws like SQL, NoSQL, and OS injection trick the interpreter into running unintended commands.
Prevention:
Use parameterized queries or proven sanitization libraries. Never trust user input.
A4: Insecure Design
Security is not a foundational part of the application's architecture, leading to systemic, hard-to-fix vulnerabilities. This broad category covers a failure to determine what level of security design is required for the application.
Prevention:
Use threat modeling during the design phase and adopt secure design patterns from the start.
A5: Security Misconfiguration
Relying on insecure default settings, having overly permissive permissions, or showing verbose error messages that leak information. This is commonly a result of incomplete configurations, open cloud storage, and misconfigured HTTP headers.
Prevention:
Harden configurations, disable unused features, and use generic error messages.
A6: Vulnerable Components
Your app is only as strong as its weakest link. Outdated dependencies are a primary attack vector. If you use a library or framework with a known vulnerability, you are putting your entire application at risk.
Prevention:
Regularly scan dependencies with tools like `npm audit` and keep them updated.
A7: Identification & Auth Failures
Weaknesses in user identity management, such as allowing weak passwords, not limiting login attempts, or poor session handling. This can include not invalidating session IDs on logout, making accounts vulnerable to brute-force attacks.
Prevention:
Enforce strong password policies, use rate limiting, and invalidate sessions on logout.
A8: Software & Data Integrity
Relying on software or data from plugins, libraries, or CI/CD pipelines without verifying their source and integrity. This focuses on making assumptions related to software updates and dependencies without verifying their digital signatures.
Prevention:
Verify software signatures. Ensure your CI/CD pipeline pulls from secure, trusted registries.
A9: Logging & Monitoring Failures
Insufficient logging and lack of active monitoring makes it nearly impossible to detect suspicious activity or respond to a breach in time. Without sufficient logging, it is difficult to detect a breach, understand its scope, or perform forensic analysis.
Prevention:
Log all security-relevant events and use monitoring tools to audit logs for anomalies.
A10: Server-Side Request Forgery
An attacker tricks the server into making requests to an unintended resource, often to probe internal networks or access cloud metadata. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or VPN.
Prevention:
Whitelist allowed domains. Never blindly make requests to user-supplied URLs.