Skip to main content

Menu

LEVEL 0
0/5 XP
HomeAboutTopicsPricingMy VaultStatsPractice TestsCertifications

Categories

🎓 Certifications
🤖 Artificial Intelligence
☁️ Cloud and Infrastructure
💾 Data and Databases
💼 Professional Skills
🎯 Programming and Development
🔒 Security and Networking
📚 Specialized Topics
CheatGrid
HomeAboutTopicsPricingMy VaultStatsPractice TestsCertifications
LVLEVEL 0
0/5 XP
GitHub
© 2026 CheatGrid™. All rights reserved.
Privacy PolicyTerms of UseAboutContact

OWASP Cheat Sheet

OWASP Cheat Sheet

Back to Cybersecurity
Updated 2026-05-25
Next Topic: Penetration Testing Cheat Sheet

OWASP (Open Web Application Security Project) is an open-source foundation providing authoritative resources, tools, and standards for web application security. Founded in 2001, it publishes the OWASP Top 10, a consensus document identifying the most critical security risks to web applications — the 2025 edition analyzed over 175,000 CVE records and input from security practitioners worldwide. The framework extends beyond web apps to include APIs, mobile applications, AI/LLM systems, and modern software architectures. Understanding OWASP isn't just about memorizing vulnerabilities — it's about recognizing that security failures cluster around a few core patterns: trusting user input without validation, mismanaging authentication state, exposing sensitive data, and failing to design security into the application from the start. Modern applications face an expanded threat landscape including supply chain attacks, CI/CD pipeline compromises, and AI-specific risks, making proactive security practices essential rather than optional.

What This Cheat Sheet Covers

This topic spans 19 focused tables and 157 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: OWASP Top 10 Core Risks (2025)Table 2: Injection Attack TypesTable 3: Cross-Site Scripting (XSS) VariantsTable 4: Authentication and Session ManagementTable 5: Access Control VulnerabilitiesTable 6: Cryptographic ImplementationTable 7: Input Validation and Output EncodingTable 8: Security HeadersTable 9: API SecurityTable 10: Secure Development PracticesTable 11: Security Testing TechniquesTable 12: Logging and MonitoringTable 13: Configuration SecurityTable 14: Deserialization and Data HandlingTable 15: Cloud-Specific SecurityTable 16: Mobile Application SecurityTable 17: Vulnerability Disclosure and ResponseTable 18: OWASP API Security Top 10 (2023)Table 19: AI/LLM Security Risks (OWASP LLM Top 10 2025)

Table 1: OWASP Top 10 Core Risks (2025)

The OWASP Top 10:2025 is the eighth edition of this influential list, introducing two new categories — Software Supply Chain Failures (#3) and Mishandling of Exceptional Conditions (#10) — while consolidating SSRF into Broken Access Control. The 2025 list reflects a shift from pure code vulnerabilities toward systemic risks across the entire software delivery lifecycle.

RiskExampleDescription
A01 — Broken Access Control
GET /user/123/profile → attacker changes to /user/124/profile
• Most critical risk; 100% of tested applications had some form
• occurs when users act outside intended permissions — unauthorized data access, privilege escalation, SSRF (CWE-918 now consolidated here), and CSRF (CWE-352).
A02 — Security Misconfiguration
Default admin credentials still active, unnecessary features enabled
• Moved up from #5 to #2
• affects 100% of tested apps
• improperly configured settings, unpatched systems, verbose error messages, or exposed cloud storage — stems from insecure default configurations
A03 — Software Supply Chain Failures
SolarWinds backdoor in signed update; Shai-Hulud npm worm (2025)
• New category for 2025; highest average exploit/impact scores
• encompasses compromised dependencies, tampered CI/CD pipelines, malicious packages, and lack of SBOM — not just vulnerable components but the entire delivery chain.
A04 — Cryptographic Failures
Passwords stored in plaintext, HTTP instead of HTTPS
Insufficient protection of sensitive data (passwords, credit cards, PII) through weak encryption, missing TLS, hardcoded keys, or lack of encryption at rest/in transit — dropped from #2 to #4.
A05 — Injection
SELECT * FROM users WHERE id='$id' with unsanitized $id
• Untrusted data sent to an interpreter (SQL, NoSQL, OS, LDAP, template) as part of a command
• attacker-controlled input modifies query logic or executes arbitrary commands — fell from #3 to #5.

More in Cybersecurity

  • Network Security Cheat Sheet
  • Penetration Testing Cheat Sheet
  • 1Password Password Manager Cheat Sheet
  • Cryptography and Encryption Cheat Sheet
  • Incident Response Cheat Sheet
  • Security in Web Applications Cheat Sheet
View all 34 topics in Cybersecurity