Web Application Security: OWASP Top 10 Vulnerabilities Explained

Web applications remain the most frequently targeted attack surface for organizations of all sizes. The OWASP Top 10, updated periodically by the Open Web Application Security Project, catalogs the most critical security risks facing web applications. Understanding these vulnerabilities is essential for developers, security engineers, and engineering leaders responsible for securing digital products. At Nexis Limited, we integrate OWASP-aligned security practices into every stage of our development lifecycle.

A01:2021 – Broken Access Control

Broken access control has risen to the number one position in the latest OWASP Top 10. It occurs when users can act outside their intended permissions—accessing other users' data, modifying records they shouldn't touch, or escalating privileges. Common manifestations include Insecure Direct Object References (IDOR), where an attacker modifies a parameter like /api/users/1234 to access another user's record by changing the ID. Remediation requires server-side access control enforcement: never rely on client-side checks, implement RBAC consistently, deny access by default, and log all access control failures for monitoring.

A02:2021 – Cryptographic Failures

Previously known as "Sensitive Data Exposure," this category covers failures in protecting data in transit and at rest. Common issues include transmitting sensitive data over plaintext HTTP, using weak or deprecated cryptographic algorithms like MD5 or SHA-1 for password hashing, hardcoded encryption keys, and insufficient TLS configuration. Organizations should enforce TLS 1.2+ across all connections, implement HSTS headers, use bcrypt or Argon2id for password hashing, and manage cryptographic keys through dedicated key management systems rather than application code.

A03:2021 – Injection

SQL injection, NoSQL injection, LDAP injection, and OS command injection remain prevalent despite being well-understood. An SQL injection occurs when user-supplied input is concatenated directly into database queries without sanitization. The fix is straightforward: use parameterized queries or prepared statements exclusively. ORMs provide protection by default but can be bypassed through raw query methods. Input validation, while important, is a defense-in-depth measure—it should never be the primary protection against injection. Content Security Policy headers mitigate related client-side injection risks.

Cross-Site Scripting (XSS)

XSS, now categorized under injection, allows attackers to execute malicious JavaScript in victims' browsers. Reflected XSS injects scripts through URL parameters, stored XSS persists malicious payloads in the application database, and DOM-based XSS manipulates client-side JavaScript. Prevention requires context-aware output encoding—HTML entity encoding for HTML contexts, JavaScript escaping for script contexts, and URL encoding for URL parameters. Modern frameworks like React and Angular provide automatic output encoding, but developers must avoid bypassing these protections with methods like dangerouslySetInnerHTML.

A07:2021 – Cross-Site Request Forgery and Authentication Failures

CSRF attacks trick authenticated users into performing unintended actions by exploiting the browser's automatic inclusion of cookies with requests. Effective countermeasures include anti-CSRF tokens (synchronizer tokens or double-submit cookies), SameSite cookie attributes, and requiring re-authentication for sensitive operations. Broken authentication—weak password policies, credential stuffing vulnerabilities, session fixation, and missing MFA—enables account takeover. Implement rate limiting on authentication endpoints, enforce strong password policies, support MFA, and use secure session management with proper timeout and invalidation.

Practical Security Implementation

Securing web applications requires a layered approach. Integrate Static Application Security Testing (SAST) tools like SonarQube or Semgrep into CI/CD pipelines to catch vulnerabilities during development. Deploy Dynamic Application Security Testing (DAST) tools like OWASP ZAP for runtime vulnerability detection. Implement a Web Application Firewall (WAF) as an external defense layer, but never rely on it as the sole protection. Security headers—Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy—provide additional browser-level protections that are simple to implement and highly effective.

For development teams in Bangladesh building customer-facing applications, embedding security into the development process is far more cost-effective than retrofitting it later. Vulnerability remediation costs increase by 10-30x between development and production stages. Explore our portfolio to see how we build security into every project from inception, and contact us if your application needs a professional security review.