OWASP Cheat Sheet

Updated 2026-03-10

Next Topic: Penetration Testing Cheat Sheet

OWASP (Open Web Application Security Project) is an open-source foundation providing authoritative resources, tools, and standards for web application security. Founded in 2001, it publishes the OWASP Top 10, a consensus document identifying the most critical security risks to web applications, updated regularly based on real-world data from thousands of organizations. The framework extends beyond web apps to include APIs, mobile applications, and modern software architectures. Understanding OWASP isn't just about memorizing vulnerabilities—it's about recognizing that security failures cluster around a few core patterns: trusting user input without validation, mismanaging authentication state, exposing sensitive data, and failing to design security into the application from the start. Modern applications face an expanded threat landscape including supply chain attacks and CI/CD pipeline compromises, making proactive security practices essential rather than optional.

What This Cheat Sheet Covers

This topic spans 17 focused tables and 116 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: OWASP Top 10 Core Risks (2025)Table 2: Injection Attack TypesTable 3: Cross-Site Scripting (XSS) VariantsTable 4: Authentication and Session ManagementTable 5: Access Control VulnerabilitiesTable 6: Cryptographic ImplementationTable 7: Input Validation and Output EncodingTable 8: Security HeadersTable 9: API SecurityTable 10: Secure Development PracticesTable 11: Security Testing TechniquesTable 12: Logging and MonitoringTable 13: Configuration SecurityTable 14: Deserialization and Data HandlingTable 15: Cloud-Specific SecurityTable 16: Mobile Application SecurityTable 17: Vulnerability Disclosure and Response

Table 1: OWASP Top 10 Core Risks (2025)

Risk	Example	Description
Broken Access Control	`GET /user/123/profile` → attacker changes to `/user/124/profile`	• Most critical risk • occurs when users can act outside intended permissions, leading to unauthorized data access, modification, or privilege escalation — affects 94% of tested applications.
Security Misconfiguration	Default admin credentials still active, unnecessary features enabled	Improperly configured security settings, unpatched systems, overly verbose error messages, or exposed cloud storage — often stems from insecure default configurations.
Software Supply Chain Failures	Compromised npm package, unsigned library update	Third-party dependencies with vulnerabilities, malicious code injection in CI/CD pipelines, lack of SBOM (Software Bill of Materials), or using outdated/unmaintained components.
Cryptographic Failures	Passwords stored in plaintext, HTTP instead of HTTPS	Insufficient protection of sensitive data (passwords, credit cards, PII) through weak encryption, missing TLS, hardcoded keys, or lack of encryption at rest/in transit.
Injection	`SELECT * FROM users WHERE id='$id'` with unsanitized `$id`	• Untrusted data sent to an interpreter (SQL, NoSQL, OS command, LDAP) as part of a command • attacker-controlled input modifies query logic or executes arbitrary commands.

Table 1: OWASP Top 10 Core Risks (2025)

Risk	Example	Description
Broken Access Control	`GET /user/123/profile` → attacker changes to `/user/124/profile`	• Most critical risk • occurs when users can act outside intended permissions, leading to unauthorized data access, modification, or privilege escalation — affects 94% of tested applications.
Security Misconfiguration	Default admin credentials still active, unnecessary features enabled	Improperly configured security settings, unpatched systems, overly verbose error messages, or exposed cloud storage — often stems from insecure default configurations.
Software Supply Chain Failures	Compromised npm package, unsigned library update	Third-party dependencies with vulnerabilities, malicious code injection in CI/CD pipelines, lack of SBOM (Software Bill of Materials), or using outdated/unmaintained components.
Cryptographic Failures	Passwords stored in plaintext, HTTP instead of HTTPS	Insufficient protection of sensitive data (passwords, credit cards, PII) through weak encryption, missing TLS, hardcoded keys, or lack of encryption at rest/in transit.
Injection	`SELECT * FROM users WHERE id='$id'` with unsanitized `$id`	• Untrusted data sent to an interpreter (SQL, NoSQL, OS command, LDAP) as part of a command • attacker-controlled input modifies query logic or executes arbitrary commands.