OWASP Top 10
The OWASP Top 10 is a widely adopted awareness list of the most critical web application security risks — such as broken access control, injection, and cryptographic failures — published by the Open Worldwide Application Security Project. It anchors most web pentest scopes.
OWASP API Security Top 10
The OWASP API Security Top 10 lists the most critical risks specific to APIs — led by broken object-level authorization (BOLA), broken authentication, and excessive data exposure. APIs need their own testing focus beyond the web Top 10.
API Security
API security protects the application programming interfaces that connect apps, mobile clients, and services from abuse — authorization flaws, authentication bypass, and data leakage. As APIs carry most modern traffic, they are a primary attack surface.
BOLA / IDORBroken Object-Level Authorization
BOLA (also called IDOR) is a flaw where an API or app lets a user access another user's data by changing an object identifier — because it checks authentication but not whether the requester owns that object. It is the top API security risk.
SSRFServer-Side Request Forgery
SSRF is a vulnerability where an attacker makes a server send requests to unintended destinations — often internal services or cloud metadata endpoints — turning the trusted server into a proxy. In cloud apps it can lead to credential theft and full compromise.
Cross-Site ScriptingXSS
Cross-site scripting (XSS) injects malicious scripts into web pages viewed by other users, running in their browser to steal sessions, credentials, or perform actions as them. Types include stored, reflected, and DOM-based XSS.
SQL InjectionSQLi
SQL injection inserts malicious SQL through unsanitized input so an attacker can read, modify, or delete database data — and sometimes execute commands. A classic, high-impact flaw prevented by parameterized queries.
CSRFCross-Site Request Forgery
CSRF tricks a logged-in user's browser into sending an unwanted authenticated request — for example transferring funds — by exploiting the browser's automatic inclusion of session cookies. Anti-CSRF tokens and SameSite cookies defend against it.
Broken Access Control
Broken access control means users can act outside their intended permissions — viewing others' data, reaching admin functions, or bypassing checks. It is the OWASP Top 10's number-one web risk and the root of BOLA/IDOR.
JWTJSON Web Token
A JSON Web Token is a signed, compact token that carries identity and claims between client and server for stateless authentication. Insecure signature verification, weak keys, or the 'none' algorithm are common JWT vulnerabilities in APIs.
OAuth 2.0
OAuth 2.0 is an authorization framework that lets an application access resources on a user's behalf without sharing their password, issuing scoped access tokens. Misconfigured redirect URIs and scopes are frequent sources of account-takeover flaws.
SAMLSecurity Assertion Markup Language
SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider and a service, enabling single sign-on (SSO) for enterprises. Signature-wrapping and misconfiguration attacks can bypass it.
Secure Code Review
Secure code review manually inspects source code to find vulnerabilities black-box testing misses — hardcoded secrets, injection sinks, broken authorization, and unsafe crypto — often combined with SAST. It examines the code, not just the running app.
SASTStatic Application Security Testing
SAST analyzes an application's source code, bytecode, or binaries without running it, flagging insecure patterns early in development. It offers wide coverage but produces false positives and cannot see runtime behavior.
DASTDynamic Application Security Testing
DAST tests a running application from the outside, sending inputs to find vulnerabilities visible at runtime — like injection and misconfiguration — without access to source code. It complements SAST's code-level view.
IASTInteractive Application Security Testing
IAST instruments a running application to analyze code and data flow from the inside during testing, combining SAST's code visibility with DAST's runtime accuracy for fewer false positives. It runs within the app under test.
OWASP ASVSApplication Security Verification Standard
The OWASP ASVS is a detailed catalog of application security requirements and verification levels used to define scope and measure the rigor of an application security test. It turns 'is this app secure?' into checkable controls.
OWASP MASVSMobile Application Security Verification Standard
The OWASP MASVS defines security requirements for mobile apps — covering storage, cryptography, authentication, and platform interaction — and anchors mobile penetration test scopes for Android and iOS.
Prompt Injection
Prompt injection manipulates a large language model with crafted input so it ignores its instructions or performs unintended actions — leaking data or misusing connected tools. It is the top risk in the OWASP Top 10 for LLM Applications.
AI Security
AI security protects applications built on machine-learning and large-language models from risks like prompt injection, insecure output handling, data leakage, and agent/tool abuse, following the OWASP Top 10 for LLM Applications.