OWASP TOP 10 2021

After 4 Years, OWASP TOP 10 vulnerabilities 2021 was released with the newly added vulnerabilities in the list and made changes in the previous positions of the OWASP TOP 10 2017 vulnerabilities list.

The new list of Vulnerabilities has been categorized by considering With various facts, analyses, CVE collections in which the OWASP team has collected approximately 30 CWEs to almost 400 CWEs to analyze in the dataset.


During the analysis and research for assigning the CVE positions, the OWASP team was considered various facts in the severity of the attack and spent several months grouping and categorizing CWEs.

Finally, end up with the root cause of the attack such as “Cryptographic Failure” and “Misconfiguration” to categorize the OWASP TOP 10 list for 2021 since it has more logical for providing identification and remediation guidance.

Data Factors

For the OWASP TOP 10 2021 list, OWASP Team was also focused on the use of data for Exploitability and Impact. also they have downloaded OWASP Dependency-Check and extracted the CVSS Exploit, and Impact scores grouped by related CWEs.

“To calculate a top 10 list, the OWASP team grouped all the CVEs with CVSS scores by CWE and weighted both exploit and impact scored by the percentage of the population that had CVSSv3 + the remaining population of CVSSv2 scores to get an overall average”.

Following Data Factors are used for each of OWASP TOP 10 2021 list:-

  • CWEs Mapped: The number of CWEs mapped to a category by the Top 10 team.
  • Incidence Rate: Incidence rate is the percentage of applications vulnerable to that CWE from the population tested by that org for that year.
  • (Testing) Coverage: The percentage of applications tested by all organizations for a given CWE.
  • Weighted Exploit: The Exploit sub-score from CVSSv2 and CVSSv3 scores assigned to CVEs mapped to CWEs, normalized, and placed on a 10pt scale.
  • Weighted Impact: The Impact sub-score from CVSSv2 and CVSSv3 scores assigned to CVEs mapped to CWEs, normalized, and placed on a 10pt scale.
  • Total Occurrences: Total number of applications found to have the CWEs mapped to a category.
  • Total CVEs: Total number of CVEs in the NVD DB that were mapped to the CWEs mapped to a category.

OWASP Top 10 2021 Changes:-

OWASP introduced 3 new categories for this new top vulnerabilities list which are A08:2021Insecure Design (4th position), A08:2021-Software, and Data Integrity Failures  (8th position), A10:2021-Server-Side Request Forgery (10th position).

OWASP TOP 10 2021
OWASP TOP 10 2021

A01:2021-Broken Access Control

OWASP Team listed a Broken access control vulnerability in the #1 position, and it has moved from the 5th position at the OWASP TOP 10 2017 list. To assign this position, OWASP Team has tested 94% of applications with some soft of Broken Authentication and also mapped 34 CWEs in it.

02:2021-Cryptographic Failures

Cryptographic Failures has been assigned in the #2 position, and it has moved from #3 in the 2017 list where was list as “Sensitive Data Exposure”, and it has been assigned by considering the “symptom”. Since the currently renewed list focused on the Root cause, cryptography is a major concern to leak sensitive data.


Injection attacks are down to the #3 position in this OWASP TOP 10 2021 from the #1 position in the 2017 list. Under this Injection attack category, there are 33 CWEs mapped, including the Cross-site Scripting (XSS) bug that was in the #7 position in the previous list.

A04:2021-Insecure Design

Insecure design is a new category added in the OWASP TOP 10 2021 list and listed in the #4 position. Insecure design vulnerability focused on risks related to design flaws.

A05:2021-Security Misconfiguration

Security configuration moved from #6 position to #5, and the vulnerability has been tested on 90% of applications. OWASP Team delimited the XML external entities from the 2017 list and merged them with this Security misconfiguration.

A06:2021-Vulnerable and Outdated Components

This is an alternative title of “Using Components with Known Vulnerabilities” that has been listed in the #9th position in the 2017 list. Now it is moved up to the #6 position. OWASP Team said that It is the only category not to have any CVEs mapped to the included CWE, instead, default exploits and impact weights of 5.0 were considered to map this position.

A07:2021-Identification and Authentication Failures

It was previously known as Broken Authentication that was list in the #2 position and moved into the #7 position. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping. OWASP Said.

A08:2021-Software and Data Integrity Failures

Software & Data integrity Failures is a new list in the OWASP Top 10 2021 list, and this vulnerability focuses on the software updates, critical data, and CI/CD pipelines without verifying integrity. also, the OWASP team merged an Insecure Deserialization from 2017.

A09:2021-Security Logging and Monitoring Failures

It was previously known as Insufficient monitoring & monitoring, which was list in the #10 position and moved up to the #9 position. Failure of fixing this vulnerability will lead to impact visibility, incident alerting, and forensics.

A10:2021-Server-Side Request Forgery

SSRF is listed in the #10 position with the help of an industrial survey. The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. OWASP said.

Found this article interested !! Follow us on LinkedinTwitterFacebook for daily Cybersecurity News & Updates

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.