OWASP Web Top 10

Users can act outside their intended permissions, accessing other users' data or admin functionality without proper authorization checks.

Sensitive data is exposed due to weak or missing encryption — using outdated algorithms like MD5/SHA1, storing passwords in plaintext, or transmitting data without TLS.

Your application inherits vulnerabilities from third-party dependencies — outdated packages with known CVEs that attackers actively exploit.

Default configurations, open CORS policies, debug mode in production, or verbose error messages expose your application to attackers.

Attacker inserts malicious code into queries or commands by exploiting unsanitized user input — SQL injection, NoSQL injection, and OS command injection.

The application's architecture has fundamental security flaws — business logic on the client side, missing server-side validation, or no threat modeling.

Weak authentication mechanisms allow attackers to compromise passwords, keys, or session tokens — JWT without expiration, tokens stored in localStorage, or missing MFA.

Applications that don't verify the integrity of data, software updates, or CI/CD pipelines are vulnerable to tampering — insecure deserialization and unsigned updates.

Missing or insufficient logging of security events like failed logins, access violations, and data changes makes it impossible to detect and respond to attacks.

Attacker tricks the server into making requests to internal resources — accessing cloud metadata, internal APIs, or services that should not be publicly reachable.