Web attack quick reference
The OWASP Top 10:2025, cookie security flags, injection syntax to recognise and the three XSS types with a fix for each.
OWASP Top 10:2025
The current list. It differs from the 2021 edition: supply chain failures are now their own category and a new tenth category covers mishandled error conditions.
| Code | Name | One-line description |
|---|---|---|
| A01 | Broken Access Control | Users act outside their permissions, reaching data or functions that should be denied. |
| A02 | Security Misconfiguration | Insecure defaults, open features or missing hardening leave the stack exposed. |
| A03 | Software Supply Chain Failures | Compromised dependencies, build pipelines or third-party components reach production. |
| A04 | Cryptographic Failures | Weak, missing or misused cryptography exposes data in transit or at rest. |
| A05 | Injection | Untrusted input is parsed as code or commands, as in SQL, OS or LDAP injection. |
| A06 | Insecure Design | Flaws baked into the design that no amount of clean implementation can fix. |
| A07 | Authentication Failures | Weak login, session or credential handling lets attackers impersonate users. |
| A08 | Software or Data Integrity Failures | Code or data is trusted without verifying it has not been tampered with. |
| A09 | Security Logging and Alerting Failures | Gaps in logging and alerting let attacks go undetected and unanswered. |
| A10 | Mishandling of Exceptional Conditions | Errors and edge cases are handled in ways that leak data or fail unsafely. |
Cookie security flags
| Flag | What it does | What it prevents |
|---|---|---|
HttpOnly |
Hides the cookie from JavaScript (document.cookie) |
Session theft through cross-site scripting |
Secure |
Sends the cookie only over HTTPS | Interception of the cookie on plaintext connections |
SameSite |
Limits sending the cookie on cross-site requests (Lax, Strict, None) |
Cross-site request forgery |
A hardened session cookie sets all three:
Set-Cookie: session=<random>; HttpOnly; Secure; SameSite=Lax; Path=/
Injection syntax to recognise
| Class | Example payload | Effect |
|---|---|---|
| SQL injection | ' OR 1=1-- |
Forces a query's WHERE clause true and comments out the rest |
| Path traversal | ../../etc/passwd |
Climbs out of the intended directory to read arbitrary files |
| Command injection | ; whoami |
Chains an OS command onto one the server already runs |
Parameterised queries stop SQL injection, canonicalising and allow-listing paths stops traversal, and avoiding shell calls with untrusted input stops command injection.
Cross-site scripting types
| Type | Where the payload lives | Fix in one line |
|---|---|---|
| Reflected | Bounced straight back in the response from a request parameter | Context-aware output encoding on every reflected value |
| Stored | Saved server-side and served to later visitors | Sanitise on input and encode on output; never trust stored data |
| DOM-based | Written into the page by client-side JavaScript | Use safe DOM APIs such as textContent, never innerHTML with untrusted data |
A strong Content-Security-Policy limits the damage of any XSS that slips through.