1. Web Application Security Risks (Top-10 – 2021)

As per OWASP Top-10 for web applications (2021):

• A01: Broken Access Control
• A02: Cryptographic Failures
  • weaknesses or mistakes in how cryptography (encryption, hashing, certificates, keys, etc.) is used.
  • Ex : Leaking keys or secrets or hashing with weak algorithms (jwt)
• A03: Injection
  • sent to an interpreter (SQL, NoSQL, LDAP, OS shell, etc.) without proper validation or escaping.
  • Ex : SQL Injection (SQLi) → attacker modifies database queries.
• A04: Insecure Design
• A05: Security Misconfiguration
• A06: Vulnerable and Outdated Components
• A07: Identification and Authentication Failures
• A08: Software and Data Integrity Failures
• A09: Security Logging and Monitoring Failures
• A10: Server-Side Request Forgery (SSRF) WikipediaOWASP
  • SSRF happens when an attacker tricks a server into making a request
  • Ex : Attack make access to all unprotected endpoints

2. API Security Risks (Top-10 – 2023)

According to OWASP API Security Top 10 (2023):

• API1: Broken Object Level Authorization
  • User can access someone else’s stuff because checks are missing.
• API2: Broken Authentication
  • Login or identity system is weak, so attackers can pretend to be you
  • Ex : GET /api/users/123/profile ← your profile GET /api/users/124/profile ← but you change ID to 124
• API3: Broken Object Property Level Authorization
  • User can change fields they shouldn’t.
  • Ex "role": "admin” (register)
• API4: Unrestricted Resource Consumption
• API5: Broken Function Level Authorization