Safeguard
AppSec

OWASP Top 10 Vulnerabilities 2023: A Retrospective That Still Applies

There was no new web OWASP Top 10 in 2023 — but the OWASP Top 10 vulnerabilities 2023 story is really about the 2021 web list holding firm and the API Security Top 10 getting a major refresh.

Priya Mehta
Security Analyst
8 min read

The OWASP Top 10 vulnerabilities 2023 were, strictly speaking, the 2021 edition of the web application list — OWASP did not publish a new web Top 10 in 2023, but it did release a major update to the API Security Top 10 that year. That distinction confuses a lot of teams. If someone in 2023 asked "what's the current OWASP Top 10?", the correct answer for web applications was the 2021 list (A01 through A10), while API teams had a brand-new 2023 list of their own. Looking back from today, both documents held up remarkably well, and the categories they emphasized are the same ones still driving breach reports now.

What was actually current in 2023

Three OWASP flagship lists mattered that year:

  • OWASP Top 10 for web applications, 2021 edition. Still the edition in force throughout 2023. OWASP updates this list roughly every four years, so 2023 sat squarely in the middle of the 2021 list's lifespan.
  • OWASP API Security Top 10, 2023 edition. Released in mid-2023, the first refresh since the original 2019 API list. This was the genuinely new OWASP content of the year.
  • OWASP Top 10 for LLM Applications. First published in 2023 as generative AI adoption exploded, introducing categories like prompt injection to a mainstream audience.

So when people search for the OWASP Top 10 vulnerabilities 2023, they are usually looking for one of the first two — and the practical guidance from both is still worth internalizing.

The 2021 web Top 10, as it stood in 2023

The web list that governed 2023 assessments:

  1. A01 Broken Access Control — moved to the top spot in 2021 and stayed there. IDOR bugs, missing function-level checks, privilege escalation.
  2. A02 Cryptographic Failures — the renamed "Sensitive Data Exposure," refocused on root causes like weak algorithms and missing encryption.
  3. A03 Injection — SQL injection, command injection, and (folded in since 2021) cross-site scripting.
  4. A04 Insecure Design — a new category in 2021, pushing threat modeling and secure design patterns left of the code.
  5. A05 Security Misconfiguration — default credentials, verbose errors, unnecessary features enabled.
  6. A06 Vulnerable and Outdated Components — running libraries and frameworks with known CVEs.
  7. A07 Identification and Authentication Failures — credential stuffing, weak session management.
  8. A08 Software and Data Integrity Failures — insecure deserialization plus CI/CD and update-channel integrity, a category that anticipated the supply chain attacks that dominated headlines afterward.
  9. A09 Security Logging and Monitoring Failures — you cannot respond to what you cannot see.
  10. A10 Server-Side Request Forgery (SSRF) — added in 2021 from the community survey.

Reading that list in retrospect, the striking thing is how forward-looking A04 and A08 were. Insecure design and software integrity failures were abstract-sounding in 2021; by 2023 they described the mechanics of real incidents — poisoned build pipelines, malicious package updates, and design flaws that no amount of patching could fix.

The real 2023 release: the API Security Top 10

The OWASP API Security Top 10 2023 was published in mid-2023 as the first major revision since 2019, and it reshaped how teams think about API risk. The headline finding: authorization is still the dominant API failure mode. Broken Object Level Authorization (BOLA) kept the number one spot it has held since 2019, and three of the top five categories relate to access control in some form.

The 2023 API list:

  1. API1 Broken Object Level Authorization
  2. API2 Broken Authentication
  3. API3 Broken Object Property Level Authorization
  4. API4 Unrestricted Resource Consumption
  5. API5 Broken Function Level Authorization
  6. API6 Unrestricted Access to Sensitive Business Flows
  7. API7 Server Side Request Forgery
  8. API8 Security Misconfiguration
  9. API9 Improper Inventory Management
  10. API10 Unsafe Consumption of APIs

Notable changes from 2019: three new entries (Unrestricted Access to Sensitive Business Flows, SSRF, and Unsafe Consumption of APIs), while Injection and Insufficient Logging and Monitoring dropped off the API list. That last part surprised people — injection did not stop existing, but the data showed authorization flaws and business-logic abuse causing far more real-world API damage than classic injection in API contexts.

API6, Unrestricted Access to Sensitive Business Flows, deserves special mention. It codified something practitioners had seen for years: attacks that abuse perfectly "valid" functionality — automated ticket scalping, mass account creation, scraping — where no single request looks malicious. No scanner signature catches that; it requires understanding what the business flow is worth to an attacker.

Why a two-year-old retrospective still matters

Vulnerability classes age slowly. The categories at the top of both 2023-era lists — broken access control, BOLA, misconfiguration, vulnerable components — are the same ones dominating penetration test findings and bug bounty payouts today. A few reasons:

Access control cannot be bought off the shelf. Frameworks give you authentication almost for free. Authorization is inherently application-specific: only your code knows whether user 4823 should see invoice 9107. That is why A01 and API1 persist across every edition.

Component risk compounds. A06 (vulnerable and outdated components) gets worse as dependency trees deepen. A typical Node or Java service pulls in hundreds of transitive dependencies, and known CVEs in those packages are the cheapest attack surface there is. Continuous software composition analysis is the only realistic way to track it — an SCA tool such as Safeguard can flag a vulnerable transitive dependency the day the advisory lands, rather than the day a pentester finds it.

Design flaws outlive code fixes. A04 and API6 describe problems you cannot patch. If your password-reset flow leaks account existence, or your pricing API can be replayed, the fix is a design change, and design changes are exactly what teams defer.

Using the 2023-era lists in practice today

Treat the Top 10 as a curriculum and a coverage checklist, not a compliance scorecard:

  • Map your test coverage against categories. For each of the ten web categories and ten API categories, ask: what actually detects this here? Static analysis covers some injection. DAST scanning exercises misconfiguration, SSRF, and some access-control issues at runtime. SCA covers A06. Several categories — insecure design, business-flow abuse — are only caught by threat modeling and manual review. Knowing which is which prevents false confidence.
  • Prioritize authorization testing. If both lists put access control first, your test effort should too. Write authorization tests as code: for every endpoint, at least one test asserting that the wrong user gets a 403.
  • Inventory before you defend. API9 (Improper Inventory Management) is the quiet enabler of everything else. Shadow and zombie APIs do not appear in your scans because nobody told the scanner they exist.
  • Train against the current editions. The lists make excellent onboarding material for developers; structured resources like a security academy track work better than handing someone a PDF.

What came after

OWASP has continued the roughly four-year cadence for the web list, so the 2021 edition was always expected to be succeeded by a new web Top 10, and the LLM list has continued to evolve on a much faster clock as AI-application risk changes. None of that invalidates the 2023-era material. New editions reshuffle rankings and rename categories, but broken access control, vulnerable components, and misconfiguration do not go away — they get renumbered.

If your program addressed the 2021 web list and the 2023 API list seriously, you were well positioned for everything that followed. If it treated them as an annual checkbox, no future edition will fix that.

FAQ

Was there a new OWASP Top 10 for web applications in 2023?

No. The 2021 edition remained the current web application Top 10 throughout 2023. What was new in 2023 was the OWASP API Security Top 10 (2023 edition) and the first OWASP Top 10 for LLM Applications.

What changed in the OWASP API Security Top 10 2023?

Compared with 2019, the 2023 API list added Unrestricted Access to Sensitive Business Flows, Server-Side Request Forgery, and Unsafe Consumption of APIs, and removed Injection and Insufficient Logging and Monitoring. Broken Object Level Authorization stayed at number one.

Is the 2021/2023 OWASP guidance still relevant?

Yes. The dominant categories — broken access control, vulnerable components, misconfiguration, BOLA — are the same classes driving current pentest findings and breach reports. New editions adjust rankings; the underlying failure modes persist.

How should teams use the OWASP Top 10 day to day?

As a coverage map, not a compliance list. For each category, identify which control in your pipeline (SAST, DAST, SCA, threat modeling, manual review) actually detects it, and close the categories where the honest answer is "nothing."

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.