The OWASP Top 10 (2025)
The industry's reference list of the most critical web application risks: what each category means, with the 2025 changes.
~4 min read
What the list is
The OWASP Top 10 is a periodically updated awareness document listing the most critical web application security risks, compiled from real-world data and practitioner survey. It's a starting point and a common language, not an exhaustive standard, but it's the list everyone references, so know it.
This is the 2025 edition (the eighth, finalised in 2025), which replaced the widely cited 2021 list. The categories are risk groupings, not single bugs.
The ten categories (2025)
A01 – Broken Access Control. Users acting outside their intended permissions: viewing others' records by changing an ID in the URL (IDOR, insecure direct object reference), reaching admin functions as a normal user, privilege escalation. Consistently the most prevalent category. Root cause is usually missing or incomplete server-side authorisation checks: a failure of complete mediation.
A02 – Security Misconfiguration. Insecure defaults, unnecessary features enabled, verbose error messages, default credentials, missing security headers, open cloud storage buckets. Rose to #2 in 2025 as systems grew more complex and more configurable. Often the easiest category to exploit and to fix.
A03 – Software Supply Chain Failures. New for 2025, expanding the old "Vulnerable and Outdated Components". Covers risk across the whole dependency ecosystem: compromised libraries, build systems and distribution channels, not just out-of-date packages. Reflects real incidents like compromised npm packages and the SolarWinds build-system attack. You inherit the security of everything you depend on.
A04 – Cryptographic Failures. Sensitive data exposed through weak or missing cryptography: no encryption in transit/at rest, weak algorithms, hardcoded or poorly managed keys, bad randomness. Note (from the crypto topic) that these are overwhelmingly implementation and key-management failures, not broken algorithms.
A05 – Injection. Untrusted input interpreted as a command or query: SQL injection, OS command injection, LDAP injection, and cross-site scripting (XSS), which OWASP folds into this category. Dropped from #3 to #5 but remains one of the most tested classes. The universal fix is to separate code from data (parameterised queries, output encoding).
A06 – Insecure Design. Flaws baked into the architecture rather than the code: missing rate limiting, no defence against business-logic abuse, trust placed in the wrong component. You can't patch your way out of a bad design; the fix is threat modelling and secure design patterns up front (shift left).
A07 – Authentication Failures. Weak authentication: credential stuffing tolerated, weak password rules, broken session management, missing MFA, exposed session IDs. Renamed from "Identification and Authentication Failures" for precision.
A08 – Software or Data Integrity Failures. Code or data trusted without verifying integrity: insecure deserialisation, auto-updates pulled without signature checks, CI/CD pipelines that run unverified code. Overlaps with supply chain but focuses on the integrity verification failure.
A09 – Security Logging and Alerting Failures. Without logging, detection and alerting, breaches go unnoticed for months. Renamed from "Logging and Monitoring" to stress that logging without alerting on it is nearly useless. This category is why incidents have a long dwell time.
A10 – Mishandling of Exceptional Conditions. New for 2025. Improper error handling, logic errors, and failing open, when an error or edge case leaves the system in an insecure state (e.g. an exception in an auth check that defaults to "allow"). Ties directly to the fail securely principle.
How to use it
In an exam or assessment, the pattern is: spot the flaw, name the category, name the fix.
| Symptom | Category | Fix |
|---|---|---|
Changing ?id=123 to ?id=124 shows another user's data |
A01 Broken Access Control | Server-side authorisation on every object access |
| Default admin/admin still works | A02 Misconfiguration | Remove defaults, harden config |
| A used library has a known CVE | A03 Supply Chain | Dependency scanning, update, verify sources |
| Passwords sent over HTTP | A04 Cryptographic Failures | Enforce TLS; encrypt at rest |
'; DROP TABLE users;-- affects a query |
A05 Injection | Parameterised queries |
| No limit on login attempts by design | A06 Insecure Design | Rate limiting designed in |
| No MFA, weak session IDs | A07 Authentication Failures | MFA, strong session management |
| App runs an unsigned auto-update | A08 Integrity Failures | Verify signatures |
| No alert when admin account is brute-forced | A09 Logging/Alerting | Centralised logging + alerting |
| An error in the auth path grants access | A10 Exceptional Conditions | Fail closed |
Quick recall
- 2025 order: A01 Broken Access Control, A02 Security Misconfiguration, A03 Software Supply Chain Failures, A04 Cryptographic Failures, A05 Injection, A06 Insecure Design, A07 Authentication Failures, A08 Software/Data Integrity Failures, A09 Security Logging & Alerting Failures, A10 Mishandling of Exceptional Conditions.
- New in 2025: A03 Supply Chain (expanded from vulnerable components) and A10 Exceptional Conditions. Injection dropped to A05; XSS lives inside it.
- Broken Access Control remains #1; the fix is server-side authorisation on every access (complete mediation).
- A10 is the fail securely principle as a category; A06 is shift left.