OWASP Top 10

OWASP Top 10 - 2021

The Open Worldwide Application Security Project (OWASP) Top 10 is the most widely recognized list of critical web application security risks. VEXLIT detects vulnerabilities across all 10 categories.

VEXLIT Coverage

6,200+ rules covering all OWASP Top 10 categories with 98.2% true positive rate.

A01

A01: Broken Access Control

Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers exploit these flaws to access unauthorized data or functions.

server.js

// Vulnerable: No authorization check
app.get('/api/admin/users', (req, res) => {
  db.query('SELECT * FROM users', (err, rows) => {
    res.json(rows);
  });
});

// Secure: Role-based access control
app.get('/api/admin/users', requireRole('admin'), (req, res) => {
  db.query('SELECT * FROM users', (err, rows) => {
    res.json(rows);
  });
});

A02

A02: Cryptographic Failures

Failures related to cryptography which often lead to sensitive data exposure. This includes using weak algorithms like MD5/SHA1 for passwords, hardcoded encryption keys, and missing TLS.

A03

A03: Injection

User-supplied data is sent to an interpreter as part of a command or query. SQL injection, NoSQL injection, OS command injection, and LDAP injection are common examples.

A04

A04: Insecure Design

Missing or ineffective security controls in the application design. This category focuses on risks related to design flaws rather than implementation bugs.

A05

A05: Security Misconfiguration

Missing security hardening, unnecessary features enabled, default accounts, overly informative error messages, and misconfigured HTTP headers.

A06

A06: Vulnerable Components

Using components with known vulnerabilities. VEXLIT's SCA scans 12 package ecosystems and checks against OSV, GHSA, and NVD databases.

A07

A07: Auth Failures

Weaknesses in authentication and session management that allow attackers to compromise passwords, keys, or session tokens.

A08

A08: Software & Data Integrity

Code and infrastructure that does not protect against integrity violations. Insecure deserialization, untrusted CI/CD pipelines, and auto-updates without verification.

A09

A09: Logging & Monitoring

Insufficient logging, detection, monitoring, and active response. Without proper logging, breaches cannot be detected in time.

A10

A10: SSRF

Server-Side Request Forgery occurs when a web application fetches a remote resource without validating the user-supplied URL, allowing attackers to access internal services.

Detect with VEXLIT

Run a single command to detect all OWASP Top 10 vulnerabilities in your codebase.

npx @vexlit/cli scan . --fail-on medium