Verify every sensitive request
Why it matters:UI hiding is not access control.
Safe action:Check authorization on the server side for each sensitive action.
OWASP Top 10 Checklist
Table of Contents
Quick Answer
The OWASP Top 10 checklist is a defensive web application review aid. Use it to ask practical questions about access control, cryptography, injection, insecure design, misconfiguration, vulnerable components, authentication, logging, and SSRF.
What Is the OWASP Top 10 Checklist?
The OWASP Top 10 is a widely used awareness list for common web application security risk categories. This checklist translates those categories into beginner-friendly review questions for defensive learning and authorized application review.
How to Use It
Use the checklist during design review, code review, staging validation, and security awareness. It does not provide exploitation steps. For production systems, combine it with professional testing, secure coding, and documented risk ownership.
OWASP Top 10 Review Checklist
| Risk area | What to check | Beginner-friendly example | Related Insecure Lab guide |
|---|---|---|---|
| Broken Access Control | Can users access only what they are allowed to access? | Direct object IDs, admin pages, tenant boundaries, and file downloads need authorization checks. | BOLA |
| Cryptographic Failures | Is sensitive data protected in transit and at rest? | Use HTTPS, avoid weak crypto, and protect secrets. | Cryptography |
| Injection | Are inputs separated from commands, queries, and interpreters? | Use parameterized database queries and safe output handling. | SQL Injection |
| Insecure Design | Are threat modeling and abuse cases considered early? | Document risky flows before implementation. | Web Security Basics |
| Security Misconfiguration | Are default settings, headers, errors, and permissions hardened? | Disable unnecessary features and review Security Headers. | Clickjacking |
| Vulnerable Components | Are dependencies tracked and updated? | Maintain a software inventory and patch vulnerable libraries. | Zero Day Attack |
| Authentication Failures | Are login, session, reset, and MFA flows protected? | Use rate limits, secure sessions, and MFA for sensitive access. | Password Security |
| Integrity Failures | Are updates, plugins, and CI/CD trusted? | Protect build pipelines and verify trusted sources. | SAST and DAST |
| Logging and Monitoring | Can suspicious activity be detected and investigated? | Log key events without exposing secrets. | IDS |
| SSRF | Can server-side requests reach internal or unintended systems? | Use allowlists, network segmentation, and safe URL handling. | SSRF vs CSRF |
Access Control Checklist
Review object-level permissions
Why it matters:Users may try to access another user’s record or file.
Safe action:Check ownership and role before returning data.
Test tenant boundaries safely
Why it matters:Multi-tenant apps need strict separation.
Safe action:Use authorized test accounts and sample data only.
Injection Checklist
- Use parameterized queries for database access.
- Validate and encode input/output based on context.
- Avoid building commands, HTML, or queries from untrusted strings.
Logging and Monitoring Checklist
- Log authentication, authorization, and sensitive workflow events.
- Protect logs from tampering and overexposure.
- Alert on repeated failures, privilege changes, and suspicious requests.
Safe Learning Notes
Use intentionally vulnerable labs or applications you own when practicing. Do not test third-party websites or accounts without explicit permission.
FAQs
It is a defensive review aid based on OWASP Top 10 web application risk categories. It helps beginners ask practical review questions without turning the list into an attack tutorial.
Yes. The checklist is written for beginners, developers, and security learners who want a structured overview of common web application risks.
No. It summarizes review questions and links to related learning pages. The official OWASP Top 10 remains the authoritative source.
No. Practice only on systems you own, intentionally vulnerable labs, or environments where you have explicit permission.
Sources and further reading
- OWASP Top 10 — Official OWASP web application risk categories
- OWASP Web Security Testing Guide — Authorized web application testing methodology
- OWASP Application Security Verification Standard — Application security verification controls