back OWASP Top 10Reference for the three current authoritative OWASP lists: Web (2021), API (2023), and LLM (2025). Each item gives the definition, a concrete attack example, and a code-level mitigation. Click an item's unset chip to mark it covered , partial , or gap — your assessment is stored locally and exportable as a Markdown audit trail.
OWASP Web Top 10 2021 OWASP API Top 10 2023 OWASP LLM Top 10 2025
Coverage: 0 covered 0 partial 0 gap 10 unset
— unset A03
Injection User-supplied data is not validated, filtered, or sanitised by the application, and reaches an interpreter (SQL, NoSQL, OS command, LDAP, XPath) where it executes unintended commands.
— unset A05
Security Misconfiguration Insecure defaults, incomplete configuration, open cloud storage, verbose error messages with stack traces, unnecessary features enabled, default accounts left in place. Often the easiest path in.
— unset A07
Identification and Authentication Failures Confirmation of user identity, authentication, and session management is implemented incorrectly: credential stuffing, weak/known passwords accepted, missing MFA, weak session-token generation.
— unset A09
Security Logging and Monitoring Failures Insufficient logging, monitoring, alerting. Without it, breaches remain undetected. The Verizon DBIR routinely measures breach-detection times in months — most by external parties, not the victim.
References: OWASP Web Top 10 · OWASP API Top 10 · OWASP LLM Top 10 . Self-assessment state is stored in your browser's localStorage; nothing is uploaded.