OWASP Top 10 Checker Free Online Tool 2026

Last updated March 22, 2026

OWASP Top 10 Checker Examples

The OWASP Top 10 Checker helps assess web applications against the most critical security risks. Below are examples of checks, test cases, and remediation guidance for each category.

A01 — Broken Access Control

Test cases:
  1. Access another user's data by changing the ID in the URL:
     GET /api/users/123/profile  (logged in as user 456)
     Expected: 403 Forbidden
     Vulnerable if: Returns user 123's data

  2. Access admin endpoint as regular user:
     GET /admin/dashboard
     Expected: 403 Forbidden
     Vulnerable if: Returns admin content

  3. Horizontal privilege escalation:
     POST /api/orders/789/cancel  (order belongs to another user)
     Expected: 403 Forbidden

Remediation:
  - Implement server-side authorization checks on every request
  - Use deny-by-default access control policies
  - Log access control failures and alert on repeated failures

A02 — Cryptographic Failures

Checklist:
  ✗ Passwords stored as MD5 or SHA-1 hashes (not salted)
  ✗ Sensitive data transmitted over HTTP (not HTTPS)
  ✗ Weak TLS configuration (TLS 1.0/1.1 enabled)
  ✗ Hardcoded encryption keys in source code
  ✗ Predictable random number generation for tokens

  ✓ Passwords hashed with bcrypt, scrypt, or Argon2
  ✓ HTTPS enforced with HSTS header
  ✓ TLS 1.2+ only, strong cipher suites
  ✓ Secrets stored in environment variables or vault

Remediation:
  - Use bcrypt/Argon2 for password hashing (cost factor ≥ 12)
  - Enforce HTTPS with HSTS: Strict-Transport-Security: max-age=31536000
  - Never store sensitive data in plaintext

A03 — Injection

SQL Injection test:
  Input: ' OR '1'='1
  Vulnerable query: SELECT * FROM users WHERE name = '' OR '1'='1'
  Result: Returns all users — VULNERABLE

  Safe (parameterized):
  // Node.js
  db.query('SELECT * FROM users WHERE name = ?', [userInput]);

  // Python
  cursor.execute('SELECT * FROM users WHERE name = %s', (user_input,))

Command Injection test:
  Input: ; cat /etc/passwd
  Vulnerable: exec('ping ' + userInput)
  Safe: Use subprocess with argument list, never shell=True

NoSQL Injection test:
  Input: {"$gt": ""}
  Vulnerable: db.users.find({password: req.body.password})
  Safe: Validate and sanitize all query inputs

A04 — Insecure Design

Checklist:
  - Threat modeling performed during design phase?
  - Rate limiting on authentication endpoints?
  - Account lockout after failed login attempts?
  - Secure password reset flow (no predictable tokens)?
  - Business logic validated server-side?

Example — Missing rate limiting:
  POST /api/auth/login  (no rate limit)
  → Attacker can attempt 10,000 passwords/minute

  Fix: Implement rate limiting
  // Express.js
  const rateLimit = require('express-rate-limit');
  app.use('/api/auth', rateLimit({ windowMs: 15*60*1000, max: 10 }));

A05 — Security Misconfiguration

Common misconfigurations to check:
  ✗ Default credentials not changed (admin/admin)
  ✗ Directory listing enabled on web server
  ✗ Verbose error messages exposing stack traces
  ✗ Unnecessary HTTP methods enabled (TRACE, PUT)
  ✗ Missing security headers

  Security headers checklist:
  Content-Security-Policy: default-src 'self'
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
  Permissions-Policy: camera=(), microphone=()

A06 — Vulnerable Components

Check for vulnerable dependencies:

npm audit
# Output:
# 3 vulnerabilities (1 moderate, 2 high)
# lodash  <4.17.21  — Prototype Pollution (High)
# axios   <0.21.2   — SSRF (Moderate)

Fix:
npm audit fix
# or update specific package:
npm install lodash@latest

Python:
pip install safety
safety check

A07 — Identification and Authentication Failures

Checklist:
  ✗ Weak password policy (min 6 chars, no complexity)
  ✗ No multi-factor authentication for sensitive actions
  ✗ Session tokens not invalidated on logout
  ✗ Session fixation vulnerability
  ✗ Credentials exposed in URL parameters

  ✓ Strong password policy (min 12 chars)
  ✓ MFA available for all accounts
  ✓ Session invalidated on logout and password change
  ✓ Secure, random session tokens (min 128 bits)

A09 — Security Logging and Monitoring

Events that must be logged:
  - Failed login attempts (with IP and username)
  - Successful logins (with IP and timestamp)
  - Password changes and resets
  - Access control failures (403 responses)
  - Input validation failures
  - Admin actions

  Log format example:
  {
    "timestamp": "2026-03-18T14:32:00Z",
    "event": "login_failed",
    "ip": "203.0.113.42",
    "username": "alice@example.com",
    "attempt": 5
  }

  Alert threshold: 5 failed logins in 5 minutes → block IP

A10 — Server-Side Request Forgery (SSRF)

Vulnerable code:
  const url = req.query.url;
  const response = await fetch(url);  // SSRF vulnerability

Attack:
  GET /fetch?url=http://169.254.169.254/latest/meta-data/
  → Accesses AWS instance metadata (credentials exposure)

Fix:
  // Validate URL against allowlist
  const allowedHosts = ['api.example.com', 'cdn.example.com'];
  const parsed = new URL(url);
  if (!allowedHosts.includes(parsed.hostname)) {
    return res.status(400).json({ error: 'URL not allowed' });
  }

Common Use Cases

• Security assessment before application launch
• Developer training on common vulnerability patterns
• Pre-audit checklist for compliance reviews
• Code review guidance for security-sensitive features
• Identifying vulnerable dependencies in the supply chain
• Building a security testing checklist for QA teams

Work through each OWASP Top 10 category with test cases, code examples, and remediation guidance to systematically assess and improve your application's security posture.