• Browse topics
Login
Sign up
Login

SNYK LEARN LOGIN

OTHER REGIONS

For Snyk Enterprise customers with regional contracts. More info

Sign up

OWASP Top 10

What is the OWASP top 10?

OWASP stands for Open Worldwide Application Security Project. This non-profit foundation works to improve software security. They have published a top 10 list that acts as an awareness document for developers. It represents a broad consensus about the most critical security risks.

Our goal at Snyk Learn is to educate developers and one way we do that is by covering the OWASP top 10 list. By completing the modules below, you will have taken steps toward creating more secure applications and having a better understanding of security risks!

Save your learning progress.

  • Track your learning progress
  • Keep up to date with the latest vulnerabilities
  • Scan your application code to stay secure
Sign up for free

Broken access control

Broken Access Control had more occurrences in applications than in any other category. We want to ensure users are acting within their intended purposes.

Broken access control

Cryptographic failures

This is a broad topic that can lead to sensitive data exposure or system compromise. We want to make sure we are always protecting data and storing it securely.

Insecure hash

Injection

This is a large topic that includes SQL injection, XSS, prototype pollution and more. In this module, we'll look at code injection.

Code injection

Insecure design

Insecure design represents different weaknesses, expressed as “missing or ineffective.

Insecure design

Security misconfiguration

As software becomes more configurable, there is more that needs to be done to ensure it is configured properly and securely.

XML external entity injection (XXE)

Vulnerable and outdated components

By the time you finish reading this, a new vulnerability has been found! We need to make sure we are keeping up-to-date with our components.

Vulnerable and outdated components

Identification and authentication failures

Are you who you say you are? We need to always confirm the users’ identity, authentication, and session management.

No rate limiting

Software and data integrity failures

Let’s not rely on plugins, libraries, or modules from untrusted sources! This includes repositories and content delivery networks (CDNs).

Directory traversal

Security logging and monitoring failures

How are we supposed to detect a breach when we have no logs? Logging and monitoring are crucial for our applications.

Logging vulnerabilities

Server-side request forgery

SSRF flaws occur whenever we fetch a remote resource without validating the URL supplied by the user.

Server-side request forgery (SSRF)