OWASP Top Ten 2025 – The Complete Guide

It seems to have taken an eternity, but OWASP top ten 2025 is finally on the way, and it will soon list the 10 most important web application vulnerabilities, based on a wide-ranging industry survey. That makes the OWASP Top 10 more than just a list of vulnerabilities; it’s a critical tool for the entire cybersecurity community. It helps developers and security teams focus on the most impactful threats, allowing them to allocate resources effectively. It serves as a standard awareness document for developers, ensuring they are aware of and trained on the most common and dangerous security risks. It is also frequently used as a baseline for compliance checks and security audits, influencing vendor questionnaires and procurement processes, and by highlighting emerging risks like insecure design and supply chain vulnerabilities, the list encourages a “shift left” approach, where security is considered early on in the software development lifecycle.

The OWASP top ten 2025 core team is expected to announce the release of its updated list very soon, which is something of a relief because the industry has been anticipating it since the last update in 2021. According to the team’s latest progress update, the survey portion is now complete, and they are currently about halfway through the process of normalising data and drafting.

The industry is expecting a release any day now, and it’s going to be interesting to see which of the current listed vulnerabilities will be kept. Even if some of them are dropped from the OWASP top 10, though, it’s worth remembering that attackers will still be keen to make use of them, so make sure that you are still defending against these key vulnerabilities.  

Top Ten Vulnerabilities for OWASP 2025

1. Broken Access Control 

Broken access control sits in first place on the current OWASP list, and it happens when an application does not properly enforce restrictions on what users are allowed to do. In other words, it means they can gain access to data, functions, or systems that they shouldn’t be able to reach, and do things that they shouldn’t be able to do.

One type of this is horizontal privilege escalation, where a user is allowed access to another user’s data. For example, a user is free to change a URL from /profile/677 (their own account) to /profile/678 to see someone else’s account. This shouldn’t be possible with proper access control in place, but when it’s broken, the user can gain access, and that account may hold sensitive data, such as personal info, financial records, health data, and so on.

With another type called vertical privilege escalation, a regular user is allowed to perform admin-level actions, such as accessing /admin, without proper checks. Bypassing security controls like this allows them to access hidden functionality or data by disabling client-side checks, manipulating requests, or guessing object IDs. Then there are CORS misconfigurations. CORS is a web security mechanism that controls which websites can access resources from another domain. It prevents malicious sites from making unauthorized requests to your web application on behalf of users. These misconfigurations allow cross-origin requests from untrusted domains, and these can also expose sensitive data. Cybercriminals leverage them to steal data, modify records, or gain admin access, and the way to stop them is to implement robust access controls, use role-based or attribute-based access control (RBAC/ABAC – a security model that assigns permissions to users based on their role within an organization (like “admin,” “editor,” or “viewer”) rather than granting permissions individually to each user) and validate permissions on the server side. It’s also essential to build on a firm foundation by using the principle of least privilege, which means only giving each user access to the minimum number of resources they require.

2. Cryptographic Failures 

These failures occur when applications fail to protect sensitive data through poor or missing cryptographic controls, including situations where no encryption is used, when weak or outdated algorithms are implemented (such as MD5, SHA1, DES, or RC4), key management practices are inadequate, or strong cryptographic controls aren’t implemented properly.

Common manifestations of this include transmitting sensitive data over HTTP instead of HTTPS, using weak TLS configurations, storing passwords and personal data in plaintext, implementing reversible encryption for passwords instead of proper hashing, and hardcoding encryption keys directly in source code. Real-world attacks exploit these weaknesses through scenarios like SQL injection attacks, retrieving credit card numbers from poorly encrypted databases, network traffic monitoring on unsecured HTTP connections to steal credentials, and rainbow table attacks against password databases using simple, unsalted hashes like MD5.

Prevention requires proper data classification according to privacy laws and business needs, followed by discarding unnecessary sensitive data as quickly as possible and encrypting all remaining sensitive data both at rest and in transit. Organizations need to implement strong, well-vetted encryption algorithms with proper key management practices, use password-specific hashing algorithms like bcrypt or Argon2, enforce HTTPS everywhere with security headers like HSTS, and follow implementation best practices such as never hardcoding cryptographic keys, using cryptographically secure random number generators, and regularly rotating keys and certificates.

3. Injection 

This can happen when untrusted user data is sent directly to interpreters like SQL databases, operating systems, or LDAP directories without proper validation, so attackers can execute unintended commands or access unauthorized data. The most common form is SQL injection, where malicious code added through input fields can bypass authentication, extract sensitive data, or modify database contents. Other variants include command injection (executing OS commands), LDAP injection, NoSQL injection, and cross-site scripting (XSS).

These attacks exploit applications that add user input directly into dynamic queries without properly sanitising them. Real-world scenarios range from authentication bypasses to complete system compromise. To prevent them, you should treat all user input as untrusted and implement parameterized queries or prepared statements that separate SQL logic from data. Additional defenses include robust input validation with allow-lists, applying least privilege principles to database accounts, proper output encoding, and regular security testing. Web application firewalls provide an extra protective layer against these highly prevalent and effective attacks.

4. Insecure Design 

This is a tough one because if an application’s architecture or design is the cause of vulnerabilities, such as missing threat modeling or inadequate security controls, then there may not be easy fixes. Unlike implementation errors, insecure design problems stem from poor planning, like allowing password reuse or weak authentication flows. Attackers exploit these to bypass protections, and mitigation involves adopting secure design patterns, conducting threat modeling, and integrating security into the software development lifecycle (SDLC). Regular design reviews and security requirements analysis help address these risks early.

5. Security Misconfiguration 

Security misconfiguration happens when application components such as servers, frameworks, or cloud services aren’t set up properly. Examples include default credentials, exposed error messages, or unpatched systems. Threat actors can abuse these to gain unauthorized access or extract sensitive information. Mitigation requires hardening configurations, disabling unnecessary features, and applying the least privilege principle. Automated tools for configuration scanning and regular patching, combined with secure default settings, minimize the risk of exploitation.

6. Vulnerable and Outdated Components 

Using outdated or unpatched software components (such as libraries, frameworks, and apps) introduces vulnerabilities to your systems that criminals will gladly make use of. Common scenarios include running outdated web servers with known exploits, using JavaScript libraries with published vulnerabilities, maintaining legacy database versions without security patches, or relying on abandoned third-party components that no longer receive updates.

When it comes to keeping your website safe, you can trust Reflectiz to map and monitor connected components like these, because it notifies you of any security vulnerabilities, including those that arise when you haven’t applied patches or updates. This vulnerability also encompasses the OS, web/application server, database management system (DBMS), and all components, runtime environments, and libraries that lack regular vulnerability scanning or security bulletin monitoring, so they will need regular scanning and maintenance too.

Using open-source or proprietary code that contains software vulnerabilities or is no longer maintained can create security gaps that will attract cybercriminals like burglars to a broken door lock. Criminals will often leverage public vulnerability databases and automated scanning tools to identify these weaknesses to potentially gain system access, steal data, or compromise entire applications, and prevention requires establishing comprehensive component inventory management, implementing automated vulnerability scanning for all dependencies, subscribing to security bulletins for used components, maintaining regular update schedules with proper testing procedures, removing unused or unnecessary components, and using dependency management tools that provide vulnerability alerts.

7. Identification and Authentication Failures 

Authentication failures happen when systems fail to properly verify user identities, which can enable attacks like credential stuffing, brute force, or session hijacking. Weak passwords, lack of multi-factor authentication (MFA), or exposed session tokens are common issues that let intruders gain unauthorized access to accounts or systems. To avoid falling foul of these issues, you should enforce strong passwords, implement MFA, and use secure session management, along with rate limiting and account lockout mechanisms to further protect against automated attacks.

8. Software and Data Integrity Failures 

These occur when software or data is altered without verification, such as untrusted CI/CD pipelines or unsigned updates. Attackers can inject malicious code or tamper with data, compromising the system, typical examples being supply chain attacks or deserialization flaws. Mitigation involves validating software signatures, using secure CI/CD processes, and implementing integrity checks. You will need to monitor dependencies and ensure you only use trusted sources to prevent such unauthorized modifications.

9. Security Logging and Monitoring Failures 

If you don’t log and monitor incidents correctly, you’re inviting attacks to go undetected and delaying your response to breaches. Missing logs, unmonitored systems, or ignored alerts are the kind of things that enable malicious intruders to lurk in your systems for longer than they should. You can’t afford to allow admin actions to go unlogged or brute force attempts to go undetected, so ensure that you have comprehensive logging of security events, real-time monitoring, and automated alerts in place. Integrating logs with SIEM systems (Security Information and Event Management) and conducting regular audits will ensure timely detection and response to incidents.

10. Server-Side Request Forgery (SSRF) 

SSRF happens when an attacker manipulates a server to make unauthorized requests to internal or external systems. This can expose internal services, cloud metadata, or sensitive data, and it can be caused by weak input validation in APIs or webhooks. Attackers exploit SSRF to pivot within networks or access restricted resources, so you’ll need to routinely validate and sanitize URLs, restrict server requests, and use network-level controls like firewalls to keep them at bay.

OWASP Top Ten 2025: Key Shifts and New Threats

The significance of the OWASP top ten 2025 update lies in its ability to adapt to new technologies and attack vectors that have emerged since the last list came out in 2021. The new one is expected to highlight a move away from just individual coding errors towards more systemic application risks, like design and supply chain issues. Industry commentators are suggesting that it will likely focus on:

API Security: As modern applications become more reliant on APIs, new forms of familiar risks like Broken Access Control and Insecure Design are being exploited. The new list may either elevate API security to its own category or integrate API-specific concerns more explicitly.

Software Supply Chain: The list is expected to place a greater emphasis on Software Supply Chain Vulnerabilities, spotlighting the risks in third-party libraries, containers, and CI/CD pipelines, especially in the wake of major incidents like Polyfill and Log4Shell (a critical zero-day vulnerability discovered in November 2021 in Log4j, a widely used Java logging framework).

Modernizing Existing Categories: The update will likely re-scope and rename existing categories to better reflect current threats. For example, the 2021 list renamed “Sensitive Data Exposure” to “Cryptographic Failures” to focus on the root cause rather than the symptom. The OWASP 2025 list is expected to continue this trend.

AI and LLM Integration: The rise of Large Language Models (LLMs) and other AI technologies introduces new risks such as prompt injection and sensitive information disclosure. These are unlikely to make it onto the OWASP 2025 list, since OWASP has already published a dedicated Top 10 for LLM Applications, but it’s still worth mentioning, though, just in case you thought OWASP wasn’t paying attention!