21 June 2026·9 min read·technology

OWASP Top 10 Explained for Indian Developers (2021)

The OWASP Top 10 2021 lists the most critical web security risks. This guide explains every category with Indian examples, fixes, and how VAPT finds them.

Bachao.AI Research Team

Cybersecurity Research

Find out if you're exposed to this class of threat

Free scan · No credit card required

Scan Your Attack Surface

Security exposure this creates

Unpatched vulnerabilities in your tech stack are the #1 entry point for breaches targeting Indian businesses. Here's what to watch.

Bachao.AI Research Team

Cybersecurity Research

AI-powered security research and threat intelligence from the Bachao.AI team. Covering the latest vulnerabilities, CVEs, and cybersecurity developments affecting Indian businesses.

Get cybersecurity insights for Indian SMBs

Weekly vulnerability alerts, DPDP compliance tips, and security guides. No spam — unsubscribe anytime.

We respect your privacy. Your email is never shared.

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.

Run a free VAPT scan and get your risk score in minutes — no credit card required.

Book Your Free Scan

The OWASP Top 10 2021 is the most widely cited list of critical web application security risks. For Indian developers building fintech, healthtech, or SaaS products, these ten categories map directly to the vulnerabilities that get exploited in real breaches — and that CERT-In mandates you address before going live. This guide walks every category in plain English: what it is, a concrete Indian-context example, how to fix it, and how automated VAPT surfaces it before attackers do.

94%Web apps tested had some form of broken access control (OWASP 2021)

73%Indian SMBs with no formal security audit (DSCI 2025)

What Is the OWASP Top 10?

The Open Worldwide Application Security Project (OWASP) publishes its Top 10 list based on data from hundreds of organisations worldwide. The 2021 edition reflects real-world CVE data, bug bounty programmes, and penetration testing findings — it is a map of where attackers are actually winning.

A1 — Broken Access Control

What it is: The application lets users do things they should not be allowed to do — access other users' data, perform admin actions, or modify records that belong to someone else.

Indian example: A payment gateway dashboard lets any logged-in merchant view transaction records by changing an order ID in the URL from /orders/1001 to /orders/1002. The backend trusts the ID without checking ownership.

The fix: Enforce authorisation server-side on every request. Never trust client-supplied IDs. Use RBAC and deny by default.

How VAPT finds it: Scanners replay authenticated requests with modified object identifiers (IDOR probes) and flag responses that return another user's data with a 200 OK.

🚨

DANGER

Broken Access Control moved to the #1 spot in the OWASP 2021 list — up from #5 in 2017. It was present in 94% of applications tested during the data collection period. This is not a theoretical risk.

A2 — Cryptographic Failures

What it is: Sensitive data is transmitted or stored without adequate encryption — or with outdated, weak cryptographic algorithms.

Indian example: An insurance portal stores customer Aadhaar numbers in the database using MD5 hashes (a fast, broken algorithm trivially reversed via rainbow tables). If the database is dumped, every user's identity document number is exposed.

The fix: Use AES-256 at rest, TLS 1.2+ in transit (never SSLv3/TLS 1.0). For passwords, use bcrypt, scrypt, or Argon2 — not MD5 or SHA1. Never store PII in plaintext.

How VAPT finds it: Network scanners detect weak cipher suites. Static analysis flags deprecated hash functions in code.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

A3 — Injection

What it is: Untrusted data is sent to an interpreter (SQL, OS shell, LDAP, XML) as part of a command or query. The interpreter executes attacker-controlled logic.

Indian example: An e-commerce login form accepts username = admin'-- which comments out the password check in the SQL query, granting access without a valid credential. A variant: an admin panel passes a domain name directly to a shell command for a DNS lookup, allowing ;cat /etc/passwd to be appended.

The fix: Use parameterised queries / prepared statements for all database calls. Never concatenate user input into queries. Use an ORM correctly (ORMs can still be misconfigured). Validate and sanitise all inputs. Apply the principle of least privilege to database accounts.

How VAPT finds it: Automated scanners inject classic SQL payloads (' OR 1=1--, UNION SELECT) and time-based blind probes, then analyse responses for anomalies.

⚠️

WARNING

Injection now covers SQL, OS commands, LDAP, XPath, and template injection under one umbrella in the 2021 list. Template injection (e.g. {{7*7}} rendering as 49) is increasingly common in Indian SaaS platforms that use server-side templating engines.

A4 — Insecure Design

What it is: Security flaws baked into the architecture and design — not bugs in implementation, but missing security controls at the concept stage.

Indian example: A UPI-based lending app is designed so that loan repayment confirmations are accepted from a webhook with no signature verification. An attacker can POST a fake repayment event and mark a loan as cleared without paying.

The fix: Threat-model before you build. Use security design patterns: input validation gates, rate limiting on financial operations, mandatory HMAC verification on inbound webhooks.

How VAPT finds it: Architecture reviews during VAPT surface insecure design patterns. Runtime probes confirm whether rate limits and signature checks are actually enforced.

A5 — Security Misconfiguration

What it is: Default credentials left unchanged, unnecessary features enabled, overly permissive cloud permissions, verbose error messages exposing stack traces, missing security headers.

Indian example: A startup deploys MongoDB on AWS EC2 with the default configuration — no authentication required, port 27017 exposed to 0.0.0.0. Within hours, an automated scanner on the internet finds it and deletes all data, leaving a ransom note.

The fix: Harden every component before deployment. Disable default accounts, strip unnecessary HTTP methods, set security headers (X-Frame-Options, Content-Security-Policy, Strict-Transport-Security), and authenticate every data store.

How VAPT finds it: Port scans identify exposed services. Header analysis flags missing security headers. Credential probes test default credentials.

A6 — Vulnerable and Outdated Components

What it is: Using libraries, frameworks, or OS packages with known CVEs that have published exploits.

Indian example: A fintech portal runs Spring Boot 2.6.1 (affected by Log4Shell, CVE-2021-44228) without updating. An attacker sends a crafted JNDI string in a log field and achieves remote code execution on the server.

The fix: Maintain a software bill of materials (SBOM). Run dependency scanners (OWASP Dependency-Check, npm audit) in CI/CD. Block deployment on critical CVEs and subscribe to security advisories for your core frameworks.

How VAPT finds it: Automated VAPT platforms fingerprint technology stacks and cross-reference CVE databases, surfacing critical vulnerabilities with patch recommendations.

💡

TIP

Most Indian engineering teams update dependencies only when something breaks. A dedicated "dependency update sprint" every quarter — even one hour per sprint — dramatically reduces your exposure window.

A7 — Identification and Authentication Failures

What it is: Weaknesses in how users are authenticated and sessions are managed — weak passwords allowed, no multi-factor authentication, session tokens that never expire, or tokens predictable enough to brute-force.

Indian example: An HR SaaS platform issues session cookies with a 30-day expiry and no revocation mechanism. When an employee's laptop is stolen, there is no way to invalidate their active session without resetting the entire user account.

The fix: Enforce strong password policies. Implement MFA for all privileged accounts. Use short-lived session tokens with server-side invalidation on logout. Apply account lockout with exponential back-off.

How VAPT finds it: VAPT tools attempt credential stuffing, probe session tokens for predictability, and test whether logout invalidates server-side sessions.

A8 — Software and Data Integrity Failures

What it is: Code or data that relies on plugins, libraries, or data pipelines without verifying integrity — including insecure CI/CD pipelines and deserialisation of untrusted data.

Indian example: A DevOps team's CI/CD pipeline pulls a build dependency from a public npm registry using a floating version (^2.x) without pinning hashes. A supply chain attack injects malicious code into a minor release. The next deployment ships the attacker's code to production.

The fix: Pin all dependency versions and verify checksums. Use SRI for CDN assets. Restrict CI/CD approval permissions, rotate secrets regularly, and audit pipeline configs. Avoid deserialising untrusted data.

How VAPT finds it: CI/CD security reviews check for unpinned dependencies and unprotected pipeline jobs.

A9 — Security Logging and Monitoring Failures

What it is: The application does not log security-relevant events, or logs are not monitored, so breaches go undetected for weeks or months. CERT-In's 2022 cybersecurity directions require organisations to retain logs for 180 days and report certain incidents within 6 hours — impossible without adequate logging infrastructure.

Indian example: An NBFC's web portal has no logging on its authentication endpoint. Attackers run a credential-stuffing campaign over two weeks — 200,000 login attempts — and compromise 3,000 accounts. The first indication is customer complaints, not an alert.

The fix: Log all authentication events, privilege escalation, and API errors. Ship to a centralised SIEM. Alert on anomalous patterns (high failure rates, unusual geolocations).

How VAPT finds it: VAPT assessors generate detectable attack traffic and check whether your monitoring raised any alert — a direct test of detection coverage.

🛡️

SECURITY

Under India's DPDP Act 2023, demonstrating that you detected, contained, and reported a breach in time depends entirely on having functioning logs and monitoring. No logs = no evidence of containment = maximum regulatory exposure. See DPDP compliance guidance.

A10 — Server-Side Request Forgery (SSRF)

What it is: The server fetches a URL supplied by the attacker — allowing access to internal services, cloud metadata endpoints, or other systems behind the firewall.

Indian example: A content aggregator lets users submit an RSS feed URL. An attacker submits http://169.254.169.254/latest/meta-data/iam/security-credentials/ — the AWS instance metadata URL. The server fetches it and returns AWS IAM credentials to the attacker, who then pivots to S3 buckets with customer data.

The fix: Allowlist permitted URL destinations. Block private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16) at network and application layers. Use IMDSv2 on AWS.

How VAPT finds it: Automated scanners inject metadata endpoint URLs and internal IP ranges into URL parameters and API payloads, then detect whether the server returns internal content.

How an Attacker Chains OWASP Flaws to Compromise an App

Real-world breaches rarely exploit just one vulnerability. Attackers chain them. Here is a realistic attack path:

graph TD
    A[Attacker scans public endpoints] --> B[A5 Misconfiguration
verbose error exposes DB version]
    B --> C[A6 Outdated Component
known CVE in that DB version]
    C --> D[A3 Injection
SQL injection via search field]
    D --> E[A2 Cryptographic Failure
password hashes are MD5]
    E --> F[A7 Auth Failure
credentials cracked and reused]
    F --> G[A1 Broken Access Control
admin panel accessible via IDOR]
    G --> H[A9 No Monitoring
breach undetected for weeks]
    H --> I[Full compromise
customer data exfiltrated]

    style A fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style B fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style C fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style E fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style F fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style G fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style H fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style I fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0

OWASP 2021 — Relative Prevalence in Tested Applications

The following data reflects the percentage of applications in which each category was found, based on OWASP's own data collection for the 2021 list (sourced from owasp.org/Top10):

xychart-beta
    title "OWASP Top 10 2021 — % of apps affected"
    x-axis ["A01 Access Control", "A02 Crypto", "A03 Injection", "A04 Design", "A05 Misconfig", "A06 Components", "A07 Auth", "A08 Integrity", "A09 Logging", "A10 SSRF"]
    y-axis "% of Applications" 0 --> 100
    bar [94, 45, 60, 40, 90, 47, 55, 33, 58, 32]

Remediation Priority Cheat Sheet

OWASP Category	Risk Level	Quickest Fix	VAPT Coverage
A1 Broken Access Control	Critical	Server-side ownership checks on every endpoint	IDOR probes, auth bypass tests
A2 Cryptographic Failures	High	TLS 1.3, bcrypt for passwords, AES-256 at rest	Cipher suite scan, hash analysis
A3 Injection	Critical	Parameterised queries everywhere	Automated payload injection
A4 Insecure Design	High	Threat modelling before build	Architecture review
A5 Security Misconfiguration	High	Hardening checklist + IaC scanning	Port scan, header analysis
A6 Vulnerable Components	High	SBOM + automated dependency scan in CI	CVE fingerprinting
A7 Auth Failures	High	MFA + short-lived tokens	Credential testing, session probes
A8 Integrity Failures	Medium	Pin deps + HMAC on webhooks	CI/CD audit, SRI checks
A9 Logging Failures	Medium	Centralised logging + anomaly alerts	Detection simulation
A10 SSRF	High	URL allowlisting + block metadata IPs	Metadata endpoint injection

How Automated VAPT Covers the OWASP Top 10

Manual penetration testing covers OWASP categories well but is slow, expensive, and a point-in-time exercise. Automated VAPT platforms run continuously and scale across all endpoints. Bachao.AI by Dhisattva AI Pvt Ltd maps every scan finding to its OWASP category, so your report shows not just "SQL injection found" but "A3 — Injection" with remediation guidance, severity, and affected endpoint — ready for your development team to act on without interpretation.

A free VAPT scan covers your publicly reachable attack surface and surfaces the most common OWASP findings within 24 hours.

🎯Key Takeaway

The OWASP Top 10 2021 is not a checklist to archive — it is a live map of how Indian applications get compromised. Broken Access Control (#1), Security Misconfiguration (#5), and Injection (#3) together account for the majority of critical findings in real-world VAPT engagements. Fix these three first.

Frequently Asked Questions

Is the OWASP Top 10 2021 still relevant in 2025?

Yes. The 2021 list remains the current official edition from OWASP. The categories reflect patterns that persist across years — Injection, for example, has appeared in every edition since 2003. A new edition is expected in 2025 or 2026, but the 2021 categories are the baseline for most CERT-In guidelines and regulatory frameworks today.

Does fixing OWASP Top 10 mean my application is secure?

Addressing the OWASP Top 10 significantly reduces your largest attack surface, but it is not an exhaustive security programme. It does not cover business logic flaws specific to your application, API security gaps not in the top 10, or infrastructure-layer vulnerabilities. Pair OWASP remediation with a full VAPT engagement.

Which OWASP vulnerability is most commonly exploited in Indian startups?

Based on VAPT findings across Indian SMBs, Broken Access Control (A1) and Security Misconfiguration (A5) are the most common. Startups frequently ship admin panels with insufficient access controls and databases with default credentials or open network exposure, both of which are trivially exploitable.

Do I need a CERT-In empanelled auditor to assess OWASP compliance?

CERT-In does not mandate OWASP compliance specifically, but its 2022 cybersecurity directions require organisations to report incidents and maintain audit trails. If your sector requires a CERT-In empanelled audit (e.g. for RBI compliance or government contracts), that engagement can include OWASP Top 10 coverage delivered with a CERT-In empanelled partner.

How does OWASP Top 10 relate to DPDP Act compliance in India?

The DPDP Act 2023 requires data fiduciaries to implement "reasonable security safeguards." Remediating OWASP Top 10 vulnerabilities — particularly A1 (Broken Access Control), A2 (Cryptographic Failures), and A9 (Logging and Monitoring) — directly supports that requirement by preventing unauthorised access to personal data. See the DPDP compliance page for a full mapping.