OWASP Top Ten 2025: The New Vulnerabilities Threatening Your Web Applications
OWASP published the candidate version of its Top Ten 2025 on November 6, 2025, identifying the 10 most critical security risks. Discover the new categories, major changes since 2021, and practical measures to protect your applications.
William Aklamavo
November 21, 2025
OWASP Top Ten 2025: The New Vulnerabilities Threatening Your Web Applications
On November 6, 2025, OWASP (Open Web Application Security Project) published the candidate version of its Top Ten 2025, the reference document on web application security risks. This major update, coming 4 years after the 2021 version, reflects the rapid evolution of threats and development practices.
Two new categories make their appearance, some vulnerabilities are consolidated, and the ranking has been reorganized to better reflect the reality of risks in 2025. For developers, security architects, and technical managers, understanding these changes is crucial to protect their applications.
In this article, we will explore the Top Ten 2025 in depth, analyze the new features, compare with the previous version, and provide practical recommendations to secure your web applications.
What is the OWASP Top Ten?
The OWASP Top Ten is an industry standard publication that identifies and documents the ten most critical application security risks. Based on real data from thousands of tested applications, it serves as a reference for:
- Developers who want to understand risks to avoid
- Security teams that evaluate applications
- Technical managers who prioritize security efforts
- Auditors who verify compliance
2025 Methodology:
- Analysis of thousands of applications tested between 2021 and 2025
- Data from multiple sources: automatic scanners, manual tests, incident reports
- 3.73% of tested applications present at least one Top Ten vulnerability
The Top Ten 2025: Overview
Here is the complete ranking of the 10 most critical risks in 2025:
- A01:2025 - Broken Access Control (3.73% of applications)
- A02:2025 - Cryptographic Failures (3.00% of applications)
- A03:2025 - Injection (new)
- A04:2025 - Insecure Design (3.80% of applications)
- A05:2025 - Security Misconfiguration (high prevalence)
- A06:2025 - Vulnerable and Outdated Components (3.50% of applications)
- A07:2025 - Identification and Authentication Failures (36 weaknesses identified)
- A08:2025 - Software and Data Integrity Failures (unchanged)
- A09:2025 - Security Logging and Monitoring Failures (name modified)
- A10:2025 - Server-Side Request Forgery (SSRF) (new - 24 weaknesses)
Detailed Analysis: Major Changes
A01:2025 - Broken Access Control (Still #1)
Position: 1st place (unchanged since 2021)
Prevalence: 3.73% of tested applications present at least one of the 40 weaknesses in this category.
Why is it still #1? Access control remains the most widespread security problem because it is complex to implement correctly and often neglected in development phases.
Examples of weaknesses:
- Horizontal access: A user can access another user's data at the same level
- Vertical access: A user can access features reserved for administrators
- Bypassing access controls via modified parameters
- Unauthenticated access to sensitive resources
Protection measures:
- Implement Role-Based Access Control (RBAC)
- Verify permissions on each request, not just at authentication
- Use proven security frameworks
- Regularly test access controls with tools like OWASP ZAP
A02:2025 - Cryptographic Failures (Rising)
Position: 2nd place (up from 5th place in 2021)
Prevalence: 3.00% of affected applications
Why this rise? The increase in cloud deployments, containers, and microservices has multiplied attack surfaces and opportunities for misconfiguration.
Examples of problems:
- Services with insecure default configurations
- Error messages that reveal sensitive information
- Debug features enabled in production
- Missing security headers (CSP, HSTS, etc.)
- Databases exposed publicly without authentication
Protection measures:
- Use secure default configurations
- Automate configuration checks (Infrastructure as Code)
- Disable unnecessary features
- Implement a security hardening process
- Regularly scan configurations with tools like Snyk, Checkmarx
A03:2025 - Injection (New Category)
Position: 3rd place (new category)
Why this new category? Supply chain attacks have exploded in recent years. Major incidents like SolarWinds, Log4j, and npm have shown the vulnerability of software dependencies.
What this category encompasses:
- Vulnerabilities in dependencies: Unupdated third-party libraries
- Unverified components: npm, PyPI, Maven packages not validated
- Compromised build systems: Unsecured CI/CD tools
- Distribution infrastructure: Compromised Docker registries, npm repositories
- Transitive dependencies: Vulnerabilities in dependencies of your dependencies
Examples of recent attacks:
- Log4j (2021): Critical vulnerability in a Java library used by millions of applications
- Malicious npm packages: Popular packages compromised to steal data
- SolarWinds (2020): Compromise of a monitoring tool used by thousands of companies
Protection measures:
- Regular dependency audit: Use tools like Snyk, Dependabot, WhiteSource
- Signing and verification: Verify package integrity before installation
- Minimize dependencies: Only use necessary and maintained packages
- Proactive updates: Keep dependencies up to date with security patches
- SBOM (Software Bill of Materials): Document all application dependencies
- Automatic scanning: Integrate scanning into your CI/CD pipeline
Recommended tools:
# Example with npm audit
npm audit
# Example with Snyk
snyk test
# Example with Dependabot (GitHub)
# Automatic configuration in .github/dependabot.yml
A04:2025 - Insecure Design (New Approach)
Position: 4th place (down from 2nd place)
Prevalence: 3.80% of applications
Major change: This category now emphasizes threat modeling and secure design from the start, rather than specific technical vulnerabilities.
Secure design principles:
- Threat modeling: Identify threats before developing
- Defense in depth: Multiple layers of security
- Principle of least privilege: Grant only necessary permissions
- Fail-secure: In case of error, the system must be secure by default
- Separation of concerns: Isolate critical components
Protection measures:
- Conduct security design reviews
- Use threat modeling frameworks (STRIDE, DREAD)
- Implement security controls from design
- Train developers on security principles
A05:2025 - Security Misconfiguration (Still Critical)
Position: 5th place (down from 3rd place in 2021)
Why this drop? The use of modern frameworks with built-in protection (ORM, prepared parameters) has reduced injection vulnerabilities. However, attacks remain frequent.
Types of injection:
- SQL Injection: Injection of malicious SQL code
- NoSQL Injection: Injection into NoSQL databases
- Command Injection: Execution of system commands
- LDAP Injection: Injection into LDAP directories
- XSS (Cross-Site Scripting): Injection of JavaScript scripts
Protection measures:
- Use parameterized queries (prepared statements)
- Use ORM (Object-Relational Mapping) that automatically escape
- Validate and sanitize all user inputs
- Use whitelists rather than blacklists
- Implement Content Security Policy (CSP) to prevent XSS
Example of secure code:
// ❌ VULNERABLE - SQL Injection
const query = `SELECT * FROM users WHERE id = ${userId}`;
// ✅ SECURE - Parameterized query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);
A06:2025 - Vulnerable and Outdated Components
Position: 6th place (down from 4th place)
Prevalence: 3.50% of applications
Change: This category now emphasizes threat modeling and secure design from the start, rather than specific technical vulnerabilities.
A07:2025 - Identification and Authentication Failures (Name Modified)
Position: 7th place (unchanged)
Change: The name was modified from "Broken Authentication" to "Identification and Authentication Failures" to more accurately reflect the 36 weaknesses identified.
Examples of problems:
- Weak passwords accepted
- Absence of protection against brute force attacks
- Incorrect session management (tokens not invalidated)
- Multi-factor authentication (MFA) not implemented
- Insecure password recovery
Protection measures:
- Implement strong password policies
- Limit login attempts (rate limiting)
- Use MFA (Multi-Factor Authentication)
- Invalidate sessions after logout or expiration
- Use secure tokens (JWT with short expiration)
A08:2025 - Software and Data Integrity Failures (Unchanged)
Position: 8th place (unchanged)
Focus: This category focuses on the failure to maintain trust boundaries and verify the integrity of software, code, and data artifacts.
Examples of problems:
- Unsigned or unverified updates
- Data integrity not validated
- Code not verified before deployment
- Lack of integrity verification for downloaded files
Protection measures:
- Digitally sign software updates
- Verify data integrity with checksums (SHA-256)
- Implement integrity controls for critical files
- Use trusted registries for packages
A09:2025 - Security Logging and Monitoring Failures (Name Modified)
Position: 9th place (unchanged)
Change: The name was modified to emphasize the importance of the alerting functionality necessary to induce appropriate action on relevant logging events.
Examples of problems:
- Critical events not logged
- Logs containing sensitive information (passwords, tokens)
- Absence of alerts for suspicious events
- Logs not centralized or difficult to analyze
Protection measures:
- Log all critical events (authentication, access, errors)
- Never log sensitive information
- Implement an alert system for suspicious events
- Centralize logs (ELK Stack, Splunk, Datadog)
- Set up appropriate log retention
A10:2025 - Server-Side Request Forgery (SSRF) (NEW)
Position: 10th place (new category)
Prevalence: 24 weaknesses identified
Why this new category? Incorrect error and exception handling can reveal sensitive information, allow security bypasses, or cause denial of service.
Examples of problems:
- Error messages that reveal system information
- Incorrect exception handling (generic catch that masks errors)
- Denial of service caused by unhandled exceptions
- Business logic that fails open instead of fail-secure
- Stack traces exposed to users
Protection measures:
- Never expose technical details in user error messages
- Specifically handle each type of exception
- Implement fail-secure (in case of error, deny access)
- Log detailed errors server-side only
- Test error scenarios
Example of secure code:
// ❌ VULNERABLE - Revealing error message
catch (error) {
res.status(500).send(`SQL Error: ${error.message}`);
}
// ✅ SECURE - Generic message for user
catch (error) {
logger.error('Database error', { error, userId, action });
res.status(500).send('An error occurred. Please try again.');
}
Comparison 2021 vs 2025: Major Changes
| Position 2021 | Position 2025 | Category | Change |
|---|---|---|---|
| 1 | 1 | Broken Access Control | = |
| 5 | 2 | Security Misconfiguration | ↑ +3 |
| - | 3 | Software Supply Chain Failures | NEW |
| 2 | 4 | Cryptographic Failures | ↓ -2 |
| 3 | 5 | Injection | ↓ -2 |
| 4 | 6 | Insecure Design | ↓ -2 |
| 7 | 7 | Identification and Authentication Failures | = |
| 8 | 8 | Software and Data Integrity Failures | = |
| 9 | 9 | Security Logging and Monitoring Failures | = |
| - | 10 | Server-Side Request Forgery | NEW |
Categories removed from Top Ten 2021:
- A10:2021 - Server-Side Request Forgery (SSRF): Integrated into other categories
Action Plan: How to Protect Your Application
Step 1: Security Audit
Immediate actions:
- Perform a security scan with OWASP ZAP or Burp Suite
- Audit all your dependencies with Snyk or Dependabot
- Check your configurations (security headers, SSL/TLS, etc.)
- Review your access controls
Step 2: Prioritization
Recommended priority order:
- A01 - Access Control: Critical impact, high prevalence
- A03 - Supply Chain: New major risk
- A02 - Configuration: Easy to fix, significant impact
- A05 - Injection: High prevalence, critical impact
- A10 - SSRF: New, easy to fix
Step 3: Implementation of Controls
Recommended tools:
- OWASP ZAP: Vulnerability scanner
- Snyk: Dependency audit
- SonarQube: Static code analysis
- Burp Suite: Penetration testing
- Dependabot: Automatic dependency updates
Step 4: Training and Awareness
Actions:
- Train the team on Top Ten 2025
- Integrate security into the development process (DevSecOps)
- Conduct security-focused code reviews
- Organize regular awareness sessions
OWASP Top Ten 2025 Security Checklist
A01 - Access Control
- RBAC (Role-Based Access Control) implemented
- Permission verification on each request
- Horizontal and vertical access tests performed
- Principle of least privilege applied
A02 - Configuration
- Security headers configured (CSP, HSTS, etc.)
- Generic error messages in production
- Debug features disabled
- Secure default configurations
A03 - Supply Chain
- Regular dependency audit
- Security updates applied
- SBOM (Software Bill of Materials) maintained
- Automatic scanning in CI/CD
A04 - Cryptography
- Modern algorithms used (AES-256, SHA-256)
- Secrets managed via a secrets manager
- Valid and up-to-date SSL/TLS certificates
- No hardcoded secrets in code
A05 - Injection
- Parameterized queries used
- ORM with automatic escaping
- Input validation and sanitization
- CSP implemented to prevent XSS
A06 - Design
- Threat modeling performed
- Security design reviews
- Defense in depth implemented
- Fail-secure by default
A07 - Authentication
- MFA implemented
- Strong password policy
- Rate limiting on login attempts
- Secure session management
A08 - Integrity
- Digitally signed updates
- Data integrity verification
- Integrity controls for files
A09 - Logging
- Critical events logged
- No sensitive information in logs
- Alert system configured
- Centralized logs
A10 - SSRF
- Generic error messages for users
- Specific exception handling
- Fail-secure implemented
- Stack traces not exposed
Conclusion: Security is a Continuous Process
The OWASP Top Ten 2025 reflects the constant evolution of threats and development practices. The two new categories (supply chain and exception handling) show that attackers are adapting their strategies.
The 5 Essential Truths:
- Security is not a state, it's a process: Continue to audit, test, and improve
- Dependencies are a major risk: Monitor and update regularly
- Configuration matters: Poor configuration can negate all your other efforts
- Secure design pays off: Integrate security from the start
- Training is crucial: A trained team is your best defense
Investment in security pays off:
- Protection against data breaches
- Regulatory compliance (GDPR, etc.)
- Customer trust
- Savings on incident costs
Every day without a security audit = Exposure to risks
A single exploited vulnerability = Potential data breach
Security is your digital shield
If you develop or maintain web applications, make sure you understand and address the risks of the Top Ten 2025. This is the only way to protect your users and your business against modern threats.
Need a security audit for your application? Contact BOVO Digital for a complete assessment based on the OWASP Top Ten 2025 and the implementation of appropriate protection measures.
