The Open Web Application Security Project (OWASP) is a non-profit organization focused on improving software security. Its best-known resource is the OWASP Top 10, a regularly updated awareness document that summarizes the most critical web application security risks.

The OWASP Top 10 2025 reflects how application security has changed. Modern applications depend on complex configurations, APIs, cloud services, CI/CD pipelines, open-source components, and third-party integrations. The list is not a complete testing checklist, but it remains a practical starting point for understanding the risks most likely to affect web applications.

Summary of OWASP Top 10 2025:

  1. Broken access control
  2. Security misconfiguration
  3. Software supply chain failures
  4. Cryptographic failures
  5. Injection
  6. Insecure design
  7. Authentication failures
  8. Software or data integrity failures
  9. Security logging and alerting failures
  10. Mishandling of exceptional conditions

1. Broken Access Control

Broken access control occurs when users can access data, functions, URLs, APIs, or administrative actions they should not be allowed to use. Common examples include privilege escalation, forced browsing, insecure direct object references, and server-side request forgery (SSRF). These flaws can expose sensitive data or allow attackers to perform unauthorized operations.

2. Security Misconfiguration

Security misconfigurations happen when applications, servers, frameworks, cloud services, or security controls are deployed with unsafe settings. Examples include default credentials, unnecessary services, verbose errors, missing security headers, and overly permissive permissions. As application environments grow more complex, configuration errors remain one of the most common paths to compromise.

3. Software Supply Chain Failures

Modern applications rely heavily on third-party libraries, packages, containers, and services. Software supply chain failures occur when vulnerable, outdated, malicious, or untrusted components enter an application or deployment pipeline. Reducing this risk requires dependency tracking, timely updates, software composition analysis, SBOMs, and controls over build and release processes.

4. Cryptographic Failures

Cryptographic failures involve weak or missing protection for sensitive data. This can include transmitting data without encryption, storing credentials insecurely, using weak algorithms, mishandling keys, or failing to protect session tokens. These failures can lead directly to data exposure, account compromise, regulatory issues, and identity theft.

5. Injection

Injection vulnerabilities occur when untrusted input is interpreted as part of a command, query, script, or expression. SQL injection, command injection, and cross-site scripting (XSS) are common examples. Strong input validation, output encoding, parameterized queries, and safe APIs help prevent injection attacks.

6. Insecure Design

Insecure design refers to security weaknesses built into the application’s architecture or business logic. Unlike implementation bugs, these issues often cannot be fixed by patching a single line of code. Threat modeling, secure design patterns, abuse-case analysis, and security requirements should be part of the design process from the start.

7. Authentication Failures

Authentication failures happen when attackers can compromise, bypass, or abuse identity mechanisms. Weak passwords, missing multi-factor authentication, predictable session IDs, insecure password recovery, and poor session management can all put accounts at risk.

8. Software or Data Integrity Failures

Software or data integrity failures occur when applications trust code, updates, serialized objects, or data without verifying that they are authentic and unchanged. Examples include insecure deserialization, unsigned updates, and weak CI/CD integrity checks.

9. Security Logging and Alerting Failures

Without effective logging and alerting, attacks may go unnoticed until long after damage is done. Applications should record security-relevant events, protect logs from tampering, and generate actionable alerts for suspicious behavior.

10. Mishandling of Exceptional Conditions

This new 2025 category covers failures in how applications handle errors, crashes, timeouts, and unexpected states. Overly detailed error messages can reveal internal information, while poorly handled exceptions can create bypasses or denial-of-service conditions.

Stay up to date!

The OWASP Top 10 2025 is a reminder that web security now extends far beyond individual coding flaws. Secure applications require safe design, hardened configuration, trusted components, strong authentication, continuous testing, and rapid remediation. Automated web vulnerability scanning with Acunetix can help organizations find many testable OWASP Top 10 risks before attackers do.

To stay up to date with other web security and OWASP news subscribe to the Acunetix Web Application Security Blog.

SHARE THIS POST
THE AUTHOR
Zbigniew Banach
Zbigniew Banach
Technical Content Lead & Managing Editor
Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.