The new OWASP Top 10 for 2025 is here, and compared to the previous one, broken access control is still the #1 vulnerability, while security misconfigurations and software supply chain risks are the most common. This article will take a closer look at the categories, including what’s new in the latest edition.
Important: This version is under review, but there will be no changes to the top 10 vulnerabilities.
Below is the current list of security issues:
- Broken Access Control – unchanged
- Security Misconfiguration
- Software Supply Chain Failures
- Cryptographic Failures
- Injection
- Insecure Design
- Authentication Failures
- Software or Data Integrity Failures – unchanged
- Logging & Alerting Failures – unchanged
- Mishandling of Exceptional Conditions – new category
OWASP Top 10 Methodology
The OWASP Top 10 list is periodically updated by the Open Web Application Security Project (OWASP). It groups together high-severity security weaknesses (CWEs) that are most prevalent based on testing, surveys, and CVEs (Common Vulnerabilities and Exposures). A CWE describes the type of vulnerability, while a CVE indicates a specific example of the vulnerability in a product.
Compared to the previous edition, the new one continues the shift towards root causes rather than their “symptoms.” In fact, the only such category left is injection, as there are many things that can cause it.
It is important to note that the OWASP Top 10 is not a checklist, it only shows the current vulnerability landscape for general understanding. Some categories cannot even be directly tested.
Below is more detailed information about each vulnerability.
1. Broken Access Control
It covers 40 separate security issues that could allow attackers to gain access to unauthorized data, resources, user accounts, or operations.
Examples of CWE include some ways to expose sensitive information, missing or incorrect authorization, and improper storage of sensitive data.
Perhaps somewhat controversially, server-side request forgery (SSRF) is now also included here as a type of access control issue, rather than as a separate category as in the previous edition.
2. Security Misconfigurations
Typical vulnerabilities that fall into this category include missing or incorrect security headers and running software with default settings.
Also included in 2021 is XXE (XML External Entity), a type of vulnerability in XML data processing that allows an attacker to force a server to read or execute an external XML entity.
3. Software Supply Chain Failures
Interconnectivity and reliance on third-party components have expanded the attack surface, which has been a factor in many high-profile cyberattacks since 2021, from Log4Shell to MoveIT and others, so the big jump for this category is no surprise. Half of the community survey participants ranked it as the top security risk.
4. Cryptographic Failures
The category includes 32 vulnerabilities related to all aspects of data encryption. A common security flaw in this category is the use of weak hashing algorithms, which makes applications vulnerable to brute-force attacks.
5. Injection
The category contains individual vulnerabilities covering SQL injection, cross-site scripting (XSS), command injection, and more. There are 37 of these CWEs in total, and they are mostly various types of improper neutralization or validation of input data.
6. Insecure Design
This category covers security flaws caused by errors or omissions in application design and architecture. For example, if the system design does not include detailed user management, it is difficult to expect secure role-based access control in the final application.
7. Authentication Failures
These are closely related to the current category #1 “Broken Access Control”, but focus specifically on user authentication flaws, such as weak or missing passwords and various methods of bypassing authentication. “Broken Access Control”, in contrast, refers to authorization errors that occur after a user has been authenticated.
The 36 CWEs in this category overlap with many familiar IT security risks, such as password reuse, not using multifactor authentication, and excessive user session timeouts.
8. Software or Data Integrity Failures
The 2020 SolarWinds attack is an example of a failure to ensure software integrity. The 14 CWEs in this category include insecure deserialization, where stored data from untrusted sources (or trusted data stored after serialization) is downloaded and used without verification.
The authors specify that this category refers to “untrusted maintain and verify the integrity of software, code, and data artifacts at a lower level than software supply chain failures.”
9. Logging and Alerting Failures
This category is critical to operational security because without logging activity and appropriate alerts, suspicious activity cannot be quickly detected.
One of the CWEs covered specifically addresses incorrect log handling, which can allow attackers to use logs as an attack vector or modify them to be unnoticed.
10. Mishandling of Exceptional Conditions
This covers a wide range of security flaws related to error handling that can either reveal information to attackers or allow them to cause errors as part of an attack chain. A failure or incorrect behavior of an application is often the first step in the investigation for attackers and pentesters.
The most common example is overly detailed error messages that reveal to the attacker internal information about the system or application. For example, they may include database column names returned in an error message.
Testing for OWASP Top 10 Vulnerabilities
OWASP Top 10 now takes a more strategic view of application security. Several risk categories are now not specifically designed for testing, or at least are not easily testable.
However, people talk about “OWASP Top 10 testing” every day because it is a convenient shorthand for testing all common, high-impact vulnerabilities that can be tested.
Invicti’s DAST platform combines a wide range of security checks and also includes a built-in “OWASP Top 10” scan report to conveniently show the current status of the most common web application security weaknesses that can be tested.
To test Invicti for free, including its vulnerability confirmation feature and broad coverage of hidden flaws, please leave your contact details below, and we will reach out to you:
Request for free Invicti Trial
Leave your contact details and we will get in touch with you
