OWASP Top 10 (2021)

Published on

The OWASP Top 10 list, created by the Open Web Application Security Project (OWASP), highlights the most critical security risks for web applications. It is revised every few years to track changes in the threat landscape.

I previously wrote about the 2017 list, but I have taken my sweet time getting around to reviewing the one from 2021 (oops). The next OWASP update is expected later this year (2025), so I wanted to review the 2021 list and compare it with 2017 before it's too late.

Here are the top 10 risks from the 2021 list, ordered by most critical:

  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Components
  7. Identification and Authentication Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures
  10. Server-Side Request Forgery

Key changes from 2017 to 2021

The 2021 update brings several notable changes:

  • New categories: Insecure Design (#4), Software and Data Integrity Failures (#8), and Server-Side Request Forgery (#10) were added to reflect emerging risks such as insecure CI/CD pipelines and SSRF attacks.
  • Consolidation: Some 2017 categories were merged or expanded. For example, Cross-Site Scripting (XSS) is now grouped under Injection (#3), XML External Entities (XXE) under Security Misconfiguration (#5), and Insecure Deserialisation under Software and Data Integrity Failures (#8).
  • Renaming and scoping: Sensitive Data Exposure became Cryptographic Failures (#2), focusing on root causes. Broken Authentication became Identification and Authentication Failures (#7), with a broader scope. Using Components with Known Vulnerabilities became Vulnerable and Outdated Components (#6). Insufficient Logging and Monitoring is now Security Logging and Monitoring Failures (#9).
  • Ranking shifts: Broken Access Control rose from #5 to #1, Injection fell from #1 to #3, and Security Misconfiguration climbed from #6 to #5.

Below is a summary of each 2021 category, noting its position and any changes from 2017, along with prevention tips.

Broken Access Control

2017 position: #5
Changes: Now at #1, the most common vulnerability in applications.

Occurs when access controls are poorly enforced, allowing unauthorised access to data or functions. For example, manipulating a URL to view another user’s data.

Prevention: Apply strict authentication and authorisation checks on all endpoints. Use frameworks that handle access control securely.

Cryptographic Failures

2017 position: #3 (as Sensitive Data Exposure)
Changes: Refocused on cryptographic flaws rather than exposure symptoms.

Weak encryption, poor key management, or use of unencrypted channels can expose sensitive data.

Prevention: Use strong encryption, enforce HTTPS, and avoid storing unnecessary sensitive data.

Injection

2017 position: #1
Changes: Now at #3, but includes XSS.

Happens when untrusted data is sent to an interpreter, e.g. SQL or command injection. XSS is now included as a type of injection.

Prevention: Use parameterised queries, input validation, and sanitisation.

Insecure Design

2017 position: Not present
Changes: New in 2021.

Focuses on flaws in the design stage, such as missing threat modelling.

Prevention: Apply secure design principles, perform threat modelling, and use secure reference architectures.

Security Misconfiguration

2017 position: #6
Changes: Moved up to #5, now includes XXE.

Misconfigurations in software, servers, or databases expose systems.

Prevention: Audit configurations regularly, disable unused features, and keep systems patched.

Vulnerable and Outdated Components

2017 position: #9 (as Using Components with Known Vulnerabilities)
Changes: Renamed and moved up to #6.

Using libraries or frameworks with known vulnerabilities is widespread.

Prevention: Regularly scan and update components, and use tools to track vulnerabilities.

Identification and Authentication Failures

2017 position: #2 (as Broken Authentication)
Changes: Renamed and moved to #7, broader in scope.

Covers weak passwords, credential reuse, and session flaws.

Prevention: Use multi-factor authentication, enforce strong password policies, and rate-limit login attempts.

Software and Data Integrity Failures

2017 position: Not directly present (Insecure Deserialisation was #8)
Changes: New category, wider scope.

Includes insecure deserialisation, and failures in verifying software integrity in updates or pipelines.

Prevention: Validate data, apply integrity checks in deployment, and avoid untrusted deserialisation.

Security Logging and Monitoring Failures

2017 position: #10 (as Insufficient Logging and Monitoring)
Changes: Moved up to #9.

Without logging and monitoring, attacks may go undetected.

Prevention: Implement centralised logging, monitor for anomalies, and set up security alerts.

Server-Side Request Forgery (SSRF)

2017 position: Not present
Changes: New in 2021.

Allows attackers to make requests from a server, accessing internal or external systems.

Prevention: Validate URLs, use allowlists, and segment networks.

Closing thoughts

The OWASP Top 10 (2021) captured a shift in focus towards design flaws, software integrity, and new risks such as SSRF, while older threats like Injection remained a concern. Even in 2025, many of its lessons still apply.

The next OWASP list is expected later this year, and it will be interesting to see how the growing use of AI tools has influenced the rankings.

For the full details, see the official OWASP Top 10 2021 list.

This post was tagged: