🛡️ OWASP Top 10 — Web, API & LLM
The complete OWASP Top 10 reference covering all three domains. For each vulnerability: what it is, why it happens, and how to fix it.
🌐 Web Application Top 10 (2025)
The flagship OWASP Top 10 for web apps. The 2025 edition adds Supply Chain Failures and Mishandling of Exceptional Conditions, merges SSRF into Broken Access Control, and elevates Security Misconfiguration to #2.
| 2025 | Category | 2021 | Change |
|---|---|---|---|
| A01 | Broken Access Control | A01+A10 | SSRF merged in |
| A02 | Security Misconfiguration | A05 | ⬆️ +3 |
| A03 | Supply Chain Failures | — | 🆕 New |
| A04 | Cryptographic Failures | A02 | ⬇️ -2 |
| A05 | Injection | A03 | ⬇️ -2 |
| A06 | Insecure Design | A04 | ⬇️ -2 |
| A07 | Authentication Failures | A07 | — |
| A08 | Integrity Failures | A08 | — |
| A09 | Logging & Alerting | A09 | +"Alerting" |
| A10 | Exceptional Conditions | — | 🆕 New |
A01: Broken Access Control
Failures allowing users to act outside permissions. Now also covers Server-Side Request Forgery (SSRF).
⚠️ Root Causes
- Missing server-side access control checks
- IDOR — accessing /api/user/123 as user 456
- CORS misconfiguration
- JWT/cookie tampering
- SSRF — unvalidated server-side URL fetching
✅ Remediation
- Deny by default — least privilege on every endpoint
- Server-side RBAC/ABAC for all routes
- Indirect object references (UUIDs)
- Block internal IPs & cloud metadata endpoints for SSRF
- Log and alert on access control failures
A02: Security Misconfiguration
Default credentials, open cloud storage, verbose errors, missing security headers, and unnecessary services enabled.
⚠️ Root Causes
- Default credentials not changed
- S3 buckets left publicly accessible
- Stack traces exposed in production
- Missing CSP/HSTS/X-Frame-Options headers
- XXE processing enabled by default
✅ Remediation
- Automate hardening with IaC (Terraform, Ansible)
- CSPM tools to continuously scan cloud configs
- Remove unused features and demo accounts
- Set security headers on all responses
- Separate configs for dev/staging/prod
A03: Software Supply Chain Failures
Compromised dependencies, malicious packages, insecure build pipelines, and missing SBOM. Expands A06:2021.
⚠️ Root Causes
- No SBOM or dependency inventory
- Typosquatting attacks on package registries
- Compromised upstream dependencies
- No verification of package signatures
- Insecure build pipelines
✅ Remediation
- Maintain SBOM for every application
- SCA tools (Snyk, Dependabot) in CI/CD
- SLSA framework for build integrity
- Sign container images (Cosign)
- Pin versions and use lock files
- Monitor for malicious packages (Socket.dev)
A04: Cryptographic Failures
Weak/missing cryptography leading to sensitive data exposure — plain-text transit, deprecated algorithms, hard-coded keys.
⚠️ Root Causes
- Data in clear text (HTTP, FTP)
- Weak algorithms (MD5, SHA1, DES)
- Hard-coded encryption keys
- Missing encryption at rest
- Passwords without salting
✅ Remediation
- TLS 1.2+ everywhere (HSTS)
- AES-256-GCM for data, bcrypt/Argon2id for passwords
- Keys via KMS/HSM — never hard-code
- Encrypt sensitive data at rest
- Classify data by sensitivity level
A05: Injection
SQL, NoSQL, OS, LDAP injection and XSS via unsanitized user input in queries or commands.
⚠️ Root Causes
- Unsanitized input in SQL queries
- String concatenation instead of parameterized statements
- No input validation or output encoding
- Dynamic eval()/exec() with user input
✅ Remediation
- Parameterized queries / prepared statements
- ORM frameworks with built-in sanitization
- Server-side input validation & whitelist
- Context-aware output encoding (XSS)
- WAF with OWASP CRS
- SAST in CI/CD
A06: Insecure Design
Fundamental design flaws — you cannot fix a design flaw with perfect implementation.
⚠️ Root Causes
- No threat modeling in design phase
- Missing security requirements
- Business logic flaws unidentified
- No abuse case analysis
✅ Remediation
- Threat modeling (STRIDE, PASTA)
- Security requirements with functional requirements
- Secure design patterns & reference architectures
- Design reviews with security champions
- Defense-in-depth
A07: Authentication Failures
Weak authentication, broken session management, missing MFA, credential stuffing vulnerabilities.
⚠️ Root Causes
- Weak/common passwords allowed
- Missing or broken MFA
- Session IDs in URLs or not rotated
- No rate limiting on login
- Weak password hashing
✅ Remediation
- Strong password policy + breached list check
- MFA for all users (TOTP, WebAuthn, FIDO2)
- Secure cookies (HttpOnly, Secure, SameSite)
- Rate-limit login + account lockout
- bcrypt/Argon2id with proper salting
A08: Software & Data Integrity Failures
Unsigned updates, insecure CI/CD pipelines, insecure deserialization, missing SRI for CDN assets.
⚠️ Root Causes
- Auto-updates without signature verification
- CI/CD pipeline tampering
- Deserializing untrusted data
- No SRI for CDN assets
- No code signing
✅ Remediation
- Verify digital signatures on updates
- Secured CI/CD — signed commits, protected branches
- SRI for CDN assets
- Cosign for container images
- Avoid untrusted deserialization
A09: Logging & Alerting Failures
Insufficient logging, monitoring, and alerting preventing breach detection and response.
⚠️ Root Causes
- Auth failures not logged
- Logs stored locally / tamper-prone
- No real-time alerting
- Logs not correlated or reviewed
✅ Remediation
- Log all auth, access control, input validation failures
- Centralize in SIEM (Splunk, Sentinel, Chronicle)
- Real-time alerting for anomalous patterns
- Tamper-proof logs (append-only, signed)
- IR playbooks + tabletop exercises
A10: Mishandling of Exceptional Conditions
"Fail open" errors, race conditions (TOCTOU), unhandled exceptions bypassing security, boundary violations.
⚠️ Root Causes
- Systems fail open on errors
- Unhandled exceptions bypass security controls
- Race conditions in auth/authz logic
- Missing boundary checks (overflow)
- Empty catch blocks suppress errors
✅ Remediation
- Fail-closed design — deny on error
- Handle all exceptions explicitly
- Mutex/locks and atomic operations for critical sections
- Validate all input boundaries
- Fuzz testing for edge cases
- Log unexpected exceptions
🔌 API Security Top 10 (2023)
APIs are the backbone of modern applications. The OWASP API Security Top 10 covers API-specific risks — BOLA, mass assignment, business logic abuse, and unsafe API consumption.
API1: Broken Object Level Authorization (BOLA)
APIs expose object IDs without verifying the requester owns or has access to the object.
⚠️ Root Causes
- Missing ownership validation on object access
- Predictable or sequential object IDs
- No authorization check per object per request
✅ Remediation
- Validate object ownership server-side on every request
- Use random/unpredictable UUIDs
- Implement authorization middleware at the data layer
API2: Broken Authentication
Weak or flawed authentication allows token compromise, user impersonation, or bypass.
⚠️ Root Causes
- Weak token generation or validation
- Missing rate limiting on auth endpoints
- API keys used as sole auth mechanism
- Tokens not expiring or rotated
✅ Remediation
- Use OAuth 2.0 / OpenID Connect
- Short-lived tokens with refresh rotation
- Rate-limit auth endpoints
- Don't use API keys as sole authentication
API3: Broken Object Property Level Authorization
APIs expose or allow modification of object properties the user shouldn't access (combines old Excessive Data Exposure + Mass Assignment).
⚠️ Root Causes
- API returns all object fields including sensitive ones
- No filtering of writable properties in PUT/PATCH
- Mass assignment — user sets admin=true in request body
✅ Remediation
- Explicitly define response schemas — never return all fields
- Whitelist allowed writable properties per role
- Use DTOs/view models to control exposed data
API4: Unrestricted Resource Consumption
No limits on API resource usage (bandwidth, CPU, memory, requests) — leads to DoS or cost explosion.
⚠️ Root Causes
- No rate limiting or throttling
- Unbounded query complexity (GraphQL)
- Large file uploads without limits
- No pagination on list endpoints
✅ Remediation
- Rate limiting per user/IP/API key
- Limit query depth and complexity
- Set max file upload sizes
- Enforce pagination with max page size
API5: Broken Function Level Authorization
Regular users can access admin API functions due to missing role-based function checks.
⚠️ Root Causes
- Admin endpoints differ only by URL path
- No role verification on function calls
- Client-side role enforcement only
✅ Remediation
- Server-side role checks on every function endpoint
- Separate admin APIs from user APIs
- Deny by default — whitelist allowed functions per role
API6: Unrestricted Access to Sensitive Business Flows
APIs expose business flows that can be abused at scale — ticket scalping, spam, coupon abuse.
⚠️ Root Causes
- No bot detection on business-critical flows
- Missing CAPTCHA on sensitive operations
- No velocity checks on purchases/reservations
✅ Remediation
- Bot detection (fingerprinting, behavioral analysis)
- CAPTCHA for sensitive flows
- Velocity limiting on business operations
- Device/session binding for high-value transactions
API7: Server-Side Request Forgery (SSRF)
API fetches remote resources from user-supplied URLs without validation.
⚠️ Root Causes
- User-controlled URLs in API requests
- No URL validation or allow-listing
- Access to cloud metadata endpoints
✅ Remediation
- Validate and whitelist URL destinations
- Block private IPs and metadata endpoints
- Network segmentation limiting server reach
API8: Security Misconfiguration
Missing security hardening, permissive CORS, verbose errors, unnecessary HTTP methods enabled.
⚠️ Root Causes
- Permissive CORS (Access-Control-Allow-Origin: *)
- Debug mode in production
- Unnecessary HTTP methods (TRACE, DELETE)
- Missing TLS or weak TLS config
✅ Remediation
- Restrict CORS to specific origins
- Disable debug/verbose mode in production
- Only enable required HTTP methods
- Enforce TLS 1.2+ with strong cipher suites
API9: Improper Inventory Management
Outdated API versions, deprecated endpoints, and exposed debug APIs still running in production.
⚠️ Root Causes
- No API inventory or documentation
- Old API versions not decommissioned
- Debug endpoints left exposed
- Shadow APIs unknown to security team
✅ Remediation
- Maintain API inventory with versioning
- Decommission deprecated API versions
- API gateway for centralized management
- Regular API discovery scanning
API10: Unsafe Consumption of APIs
Trusting third-party API responses more than user input — weaker validation on integrated services.
⚠️ Root Causes
- No validation of third-party API responses
- Trusting partner APIs without verification
- No timeout or circuit breaker for external calls
✅ Remediation
- Validate and sanitize all third-party API data
- Apply same security controls as user input
- Implement circuit breakers and timeouts
- Verify TLS certificates for external APIs
🤖 LLM / AI Application Top 10 (2025)
As AI/LLM adoption explodes, so do the attack surfaces. The 2025 edition adds System Prompt Leakage and Vector/Embedding Weaknesses, covering prompt injection, data poisoning, excessive agency, and RAG-specific risks.
LLM01: Prompt Injection
Manipulating input prompts to bypass safeguards, alter model behavior, or extract unauthorized data. Both direct and indirect injection.
⚠️ Root Causes
- No input sanitization on prompts
- System prompts concatenated with user input
- Indirect injection via poisoned context documents
- No separation between instructions and data
✅ Remediation
- Input validation and sanitization of prompts
- Privilege separation — limit model actions
- Human-in-the-loop for sensitive operations
- Canary tokens to detect prompt injection
- Output filtering and monitoring
LLM02: Sensitive Information Disclosure
LLM reveals PII, proprietary data, API keys, or confidential training data during operation.
⚠️ Root Causes
- PII or secrets present in training data
- No output filtering for sensitive patterns
- Model memorizes and regurgitates confidential data
- RAG retrieves documents user shouldn't access
✅ Remediation
- Data sanitization in training pipelines
- Output filtering (PII detection, regex for secrets)
- Access control on RAG document retrieval
- Differential privacy in fine-tuning
- Regular red-team testing for data leakage
LLM03: Supply Chain Vulnerabilities
Compromised pre-trained models, poisoned datasets, or vulnerable ML frameworks and deployment platforms.
⚠️ Root Causes
- Using unverified pre-trained models from public repos
- Poisoned or backdoored training datasets
- Vulnerable ML frameworks (PyTorch, TensorFlow)
- No provenance tracking for model artifacts
✅ Remediation
- Verify model provenance and checksums
- Scan training data for poisoning
- Keep ML frameworks updated
- Use model cards for transparency
- Signed model artifacts with SLSA compliance
LLM04: Data and Model Poisoning
Attackers introduce malicious data or manipulate the model to embed biases, backdoors, or impair functionality.
⚠️ Root Causes
- Untrusted or unverified training data sources
- No data validation pipeline
- Fine-tuning on user-submitted data without review
- Adversarial training data crafted to create backdoors
✅ Remediation
- Validate and curate training data sources
- Adversarial testing for poisoning detection
- Data provenance tracking and auditing
- Federated learning with differential privacy
- Regular model evaluation against known benchmarks
LLM05: Improper Output Handling
LLM outputs passed to downstream systems without sanitization — enables XSS, SQLi, and code execution.
⚠️ Root Causes
- LLM output directly rendered as HTML/JS
- Model output used in SQL queries unsanitized
- Code generated by LLM executed without sandboxing
- No validation layer between LLM and downstream systems
✅ Remediation
- Treat LLM output as untrusted — same as user input
- Sanitize and encode outputs before rendering
- Sandbox code execution environments
- Validate outputs against expected schema
- Content security policies for rendered content
LLM06: Excessive Agency
LLM granted too much autonomy, access, or permissions — can perform unintended destructive actions.
⚠️ Root Causes
- LLM has write access to databases or file systems
- No permission boundaries on agent tools
- Auto-execution of LLM-suggested actions
- Missing human approval for sensitive operations
✅ Remediation
- Least privilege — limit tools and permissions
- Human-in-the-loop for destructive actions
- Rate-limit actions the LLM can perform
- Audit logging of all LLM-initiated actions
- Sandboxed execution environments
LLM07: System Prompt Leakage
Internal system prompts containing confidential instructions, business logic, or API keys are exposed to users.
⚠️ Root Causes
- System prompts contain secrets or business logic
- No protection against prompt extraction attacks
- System prompt returned in error messages
- Model treats system prompt as non-confidential
✅ Remediation
- Never put secrets in system prompts
- Detect and block prompt extraction attempts
- Use separate config for sensitive parameters
- Test for system prompt leakage in red-team exercises
- Monitor for system prompt content in outputs
LLM08: Vector and Embedding Weaknesses
Security flaws in RAG implementations — vector store poisoning, embedding manipulation, unauthorized document access.
⚠️ Root Causes
- No access control on vector store documents
- Poisoned embeddings injecting malicious context
- Embedding inversion attacks recovering original text
- No input validation on documents indexed for RAG
✅ Remediation
- Access control per document in vector stores
- Validate and sanitize documents before indexing
- Monitor for embedding poisoning patterns
- Encrypt sensitive embeddings at rest
- Regular audit of vector store contents
LLM09: Misinformation
LLM generates convincing but false or fabricated content (hallucinations) that users trust as fact.
⚠️ Root Causes
- Training data contains inaccuracies
- Model generates plausible-sounding fabrications
- No grounding or fact-checking mechanism
- Users over-trust AI-generated content
✅ Remediation
- RAG for grounding responses in verified sources
- Confidence scoring and uncertainty indicators
- Human review for critical/published content
- Citation requirements for factual claims
- Regular evaluation against fact-checking benchmarks
LLM10: Unbounded Consumption
Uncontrolled resource usage by LLM — excessive token generation, API abuse, denial of wallet/service.
⚠️ Root Causes
- No token limits on input or output
- No rate limiting on LLM API calls
- Recursive or looping prompts exhausting resources
- No cost monitoring or budget caps
✅ Remediation
- Set max token limits for input and output
- Rate-limit API calls per user/session
- Budget caps and cost alerting
- Timeout for long-running inference
- Circuit breakers for recursive patterns
Interview Preparation
Walk me through the three OWASP Top 10 lists and what they cover.
OWASP maintains three Top 10 lists:
1Web Application Top 10 (
2
0
2
5— the flagship list covering server-side risks like Broken Access Control, Injection, and the new Supply Chain Failures and Exceptional Conditions categories.
2API Security Top 10 (
2
0
2
3— API-specific risks like BOLA, Broken Object Property Level Auth, Unrestricted Resource Consumption, and Unsafe API Consumption.
3LLM/AI Top 10 (
2
0
2
5— AI-specific risks like Prompt Injection, Data Poisoning, Excessive Agency, and the new System Prompt Leakage and Vector/Embedding Weaknesses. Each list targets a different attack surface, and modern applications often need all three since they typically have web frontends, API backends, and increasingly AI/LLM features.
What are the key changes in the OWASP Web Top 10 from 2021 to 2025?
Two new categories: A03 Software Supply Chain Failures (expanding beyond vulnerable components to cover the entire supply chain — SolarWinds, Log4Shell, xz utils) and A10 Mishandling of Exceptional Conditions (race conditions, fail-open errors). SSRF merged into A01 Broken Access Control. Security Misconfiguration jumped from #5 to #2, reflecting widespread cloud misconfigs. Injection dropped from #3 to #5 — still critical but better tooling reduced prevalence. The 2025 list reflects a shift toward supply chain security, cloud-native risks, and resilient-by-default system design.
Explain BOLA (API1:2023) and how it differs from web Broken Access Control.
BOLA (Broken Object Level Authorization) is the #1 API-specific risk. While web Broken Access Control covers page/function-level access, BOLA specifically targets object-level authorization in APIs. Example: GET /api/invoices/12345 returns any invoice if the server doesn't verify the requester owns that invoice. The fix: validate object ownership on every request, use UUIDs instead of sequential IDs, implement authorization middleware at the data layer. BOLA is more prevalent in APIs because APIs inherently expose object identifiers in URLs and params, creating a broad attack surface.
How would you protect an LLM application against Prompt Injection?
Prompt injection is the #1 LLM risk. Defense-in-depth:
1Input sanitization — detect and filter injection patterns.
2Privilege separation — LLM actions run with minimal permissions.
3System/user prompt separation — architectural boundary between instructions and data.
4Output filtering — scan responses for leaked system prompts or sensitive data.
5Human-in-the-loop for sensitive operations (deleting data, sending emails).
6Canary tokens in system prompts to detect extraction.
7Regular red-team testing. No single defense is sufficient — it's a layered approach similar to traditional injection prevention.
