OWASP Top 10
The OWASP Top 10 is a widely recognized, community-driven awareness document listing the 10 most critical security risks for web applications, helping developers and security pros prioritize threats to build more secure software. It's a standard guide, updated periodically by experts, based on real-world data, and serves as a crucial first step in improving overall web app security and reducing breach risks.
Top 10 2025
| Rank | Vulnerability | Description |
|---|---|---|
| A01:2025 | Broken Access Control | Failures in enforcing permissions allowing unauthorized access to data or functionality |
| A02:2025 | Security Misconfiguration | Insecure default configurations, incomplete setups, or exposed error messages |
| A03:2025 | Software Supply Chain Failures | Vulnerabilities in third-party dependencies, libraries, or components in the software supply chain |
| A04:2025 | Cryptographic Failures | Inadequate protection of sensitive data through weak or missing encryption |
| A05:2025 | Injection | Untrusted data sent to interpreters as part of commands or queries, leading to unintended execution |
| A06:2025 | Insecure Design | Missing or ineffective security controls due to flaws in design and architecture |
| A07:2025 | Authentication Failures | Weaknesses in user authentication and session management |
| A08:2025 | Software or Data Integrity Failures | Code or infrastructure that doesn't protect against integrity violations |
| A09:2025 | Security Logging and Alerting Failures | Insufficient logging and monitoring to detect or respond to breaches |
| A10:2025 | Mishandling of Exceptional Conditions | Improper handling of errors and exceptions that can expose sensitive information or cause security issues |
Top 10 2021
| Rank | Vulnerability | Description |
|---|---|---|
| A01:2021 | Broken Access Control | Failures in enforcing permissions allowing unauthorized access to data or functionality |
| A02:2021 | Cryptographic Failures | Inadequate protection of sensitive data through weak or missing encryption |
| A03:2021 | Injection | Untrusted data sent to interpreters as part of commands or queries, leading to unintended execution |
| A04:2021 | Insecure Design | Missing or ineffective security controls due to flaws in design and architecture |
| A05:2021 | Security Misconfiguration | Insecure default configurations, incomplete setups, or exposed error messages |
| A06:2021 | Vulnerable and Outdated Components | Using libraries or frameworks with known vulnerabilities |
| A07:2021 | Identification and Authentication Failures | Weaknesses in user authentication and session management |
| A08:2021 | Software and Data Integrity Failures | Code or infrastructure that doesn't protect against integrity violations |
| A09:2021 | Security Logging and Monitoring Failures | Insufficient logging and monitoring to detect or respond to breaches |
| A10:2021 | Server-Side Request Forgery | Application fetches remote resources without validating user-supplied URLs |