█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Application Security/OWASP Top 10
50 minIntermediate

OWASP Top 10

After this lesson, you will be able to: Walk through the OWASP Top 10 with real-world examples and identify which categories appear in sample code.

The OWASP Top 10 is the canonical list of the most common and critical web vulnerabilities. It's updated every few years based on real-world data. Knowing this list cold is table stakes for any AppSec role.

Prerequisites:What is Application Security?

The current Top 10 categories

A01 Broken Access Control. IDOR, missing auth checks. A02 Cryptographic Failures, bad hashing, plaintext storage. A03 Injection. SQL, command, LDAP injection. A04 Insecure Design, missing controls by design. A05 Security Misconfiguration, default passwords, verbose errors. A06 Vulnerable Components, outdated libraries with CVEs. A07 Authentication Failures, weak passwords, session bugs. A08 Software/Data Integrity, unsigned updates, insecure deserialization. A09 Logging/Monitoring Failures, no audit trail. A10 Server-Side Request Forgery (SSRF).

💡 A01 Broken Access Control is #1 for a reason

Insecure Direct Object Reference (IDOR), changing /orders/123 to /orders/124 and seeing someone else's data, is the most common high-impact bug found in real bug bounties. It's caused by trusting URL parameters without checking 'is this user allowed to see this object?'

Spot the vulnerability. IDOR example

Read this Express handler. What's wrong?

tsx
// VULNERABLE
app.get('/api/orders/:id', async (req, res) => {
const order = await db.order.findUnique({ where: { id: req.params.id } });
res.json(order);
});
// FIXED
app.get('/api/orders/:id', async (req, res) => {
const order = await db.order.findFirst({
where: { id: req.params.id, userId: req.user.id }, // ← ownership check
});
if (!order) return res.status(404).end();
res.json(order);
});

How to use the Top 10

Use it as a checklist for code review and threat modeling. When you write or review code, ask: 'Could this trip any of A01–A10?' Most real findings map to one of these, once you have the categories memorized, you'll spot them faster.

Quick Check

Which Top 10 category covers a login page that accepts password '123'?

Choose the closest match.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←What is Application Security?
Back to Application Security
Input Validation and Injection Attacks→