1) A1 – 注入(Injection)
2) A2 – 跨站脚本 (Cross Site Scripting (XSS))
3) A3 – 无效的验证和会话管理 (Broken Authentication and Session Management)
4) A4 – 对资源不安全的直接引用 (Insecure Direct Object References)
5) A5 – 跨站伪造请求 (Cross Site Request Forgery (CSRF))
6) A6 – 错误的安全配置 (Security Misconfiguration)
7) A7 – 失败的网址访问权限限制 (Failure to Restrict URL Access)
8) A8 – 未经验证的网址重定向 (Unvalidated Redirects and Forwards)
9) A9 – 不安全的密码存储 (Insecure Cryptographic Storage)
10) A10 – 薄弱的传输层保护 (Insufficient Transport Layer Protection)