Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

OWASP A04: Insecure design

Was the website designed to handle attack, or just good behaviour?

Based on the OWASP Top 10 — 2021 edition. Check owasp.org/Top10 for the current edition.

Background

Some flaws can't be patched — they're built into the design. A password-reset flow with no rate limiting. A checkout that trusts the price the browser sends.

Questions to ask yourself

  • Before we built the site, did anyone do threat modelling?
  • Did we test rapid password resets, brute-force logins, repeated card attempts?
  • Are limits in place on logins, password resets, account creation?
  • Does the system trust data the browser sends?

For owners — questions to ask your developer

Questions to ask your developer

Design flaws are the most expensive to fix after launch. Ask now.

  • 01“What threat modelling did we do before building this? What does an attacker try?” A blank look here means none was done.
  • 02“What rate limits are in place on logins, password resets, account creation, contact forms?”
  • 03“Does the system trust prices, user IDs, or role flags the browser sends — or are these always re-checked server-side?”