Contents
The OWASP Top 10 is a list of the most critical security risks facing web applications. It is one of the best-known reference points in application security, and it shapes how developers write code, how security teams set priorities, and how a penetration testing engagement is scoped. If some of the terms below are new to you, our cybersecurity glossary explains the main ones in plain English.
This article covers what OWASP is, what the current 2025 list contains, how it is put together, and how to actually use it rather than just read it.
Before we continue, web application security has its own extensive vocabulary. If a term here is new to you, you should check out our cybersecurity glossary.
A quick introduction to OWASP
OWASP stands for the Open Worldwide Application Security Project, a non-profit foundation that works to improve the security of software. It publishes free tools, documentation and community-led projects that anyone can use, covering web applications, APIs, and connected systems.
Its best-known project by far is the OWASP Top 10.
What the OWASP Top 10 is for
The Top 10 lists the security risks that show up most often, and most seriously, in real web applications. It is written for the people who build and defend software: developers, security professionals and penetration testers. OWASP refreshes it roughly every three to four years so the list keeps pace with how applications are built and attacked, while still giving teams a stable baseline to work against between editions.
The current version is the OWASP Top 10:2025, the eighth edition and the first update since the 2021 list. You can read the source material on the official OWASP Top 10:2025 site.
How the OWASP Top 10 is decided
The list is built from a mix of hard data and expert judgement and not just opinion alone.
For each edition, OWASP runs a large data call. Testing vendors, in-house security teams and bug bounty platforms contribute real findings from hundreds of thousands of applications, and each finding is mapped to a Common Weakness Enumeration (CWE). Rather than counting raw bugs, OWASP measures incidence rate, the share of applications that contain at least one instance of a given weakness, and eight of the ten categories are chosen from this data.
The remaining two slots deliberately come from a community survey of security practitioners. Testing data always looks backwards, because it takes time for the industry to develop and automate tests for a new class of flaw. The survey lets the list include risks that experienced testers are already seeing in the field before the data fully catches up.
The OWASP Top 10: 2025 list
A note before the list: it is not ranked by importance in the sense that number ten is safe to ignore. Every item is a critical risk and deserves attention, and the ordering is based on how common and severe each category is across the data.
Here is the 2025 list, with a short explanation of each.
A01: Broken Access Control
Access controls decide who can see and do what, and when they are misconfigured or missing, users can reach data and actions that should be off limits, move into other users’ accounts, or escalate their own privileges. It remains the number one risk in 2025, and Server-Side Request Forgery, which had its own place in 2021, now sits inside this category.
A02: Security Misconfiguration
This covers insecure settings across applications, frameworks, servers and cloud services: default accounts left active, unnecessary features switched on, missing security headers, verbose error messages and over-permissive storage. It has climbed from fifth place in 2021 to second, as systems have grown more configurable and there are simply more settings to get wrong. Because these settings reach past the application into the servers and infrastructure around it, the same misconfigurations often surface in network penetration testing as well as web app testing.
A03: Software Supply Chain Failures
A new and broadened category for 2025 that replaces the old “Vulnerable and Outdated Components”. It goes further than known bugs in outdated libraries and takes in the whole software supply chain: malicious or compromised dependencies, tampered build pipelines, and risks introduced through third-party and open-source code. As more of an application is assembled from other people’s code, this is an area worth watching closely.
A04: Cryptographic Failures
Sensitive data needs proper protection in transit and at rest. This category covers weak or outdated algorithms, poor key management, and failing to encrypt data that should be encrypted, all of which can leave information exposed. It has moved down from second in 2021 to fourth, though the underlying risk has not gone away.
A05: Injection
Injection flaws happen when untrusted input is passed to an interpreter as part of a command or query, letting an attacker run their own commands. SQL injection and cross-site scripting are common examples, and they remain a core focus of any web application penetration testing engagement. Injection has fallen from third in 2021 to fifth, a sign that tooling and secure coding practices have made real progress here.
A06: Insecure Design
Some flaws are not coding mistakes but design ones, and this category covers weaknesses baked in during the architecture stage: missing threat modelling, absent security controls in the design itself, and business logic that can be abused. A flaw designed into a system cannot be patched away later, which is why secure design matters from the start.
A07: Authentication Failures
Renamed from “Identification and Authentication Failures”, this covers weaknesses in how an application confirms who a user is: weak or reused passwords, poor session handling, and flawed multi-factor authentication. Get this wrong and an attacker can impersonate a legitimate user and walk straight in.
A08: Software or Data Integrity Failures
This covers code and data that is trusted without being properly verified: unsigned or unchecked updates, insecure deserialisation, and reliance on components from untrusted sources. The result can be malicious code execution or tampered data that quietly undermines the application.
A09: Security Logging and Alerting Failures
Previously “Security Logging and Monitoring Failures”, the 2025 rename puts the emphasis on alerting. Without good logging and timely alerts, breaches go unnoticed, attacker activity cannot be traced, and forensic investigation becomes far harder. Poor visibility turns a small incident into a large one.
A10: Mishandling of Exceptional Conditions
The second new category for 2025. It deals with poor error and exception handling: improper input validation, incomplete recovery, inconsistent handling of failures, and the classic problem of “failing open” so a system defaults to allowing access when something goes wrong. Mishandled exceptions can cause crashes, logic flaws, data corruption or denial of service, and error messages that leak sensitive detail.
What changed from the 2021 list
If you know the 2021 edition, here is what moved.
There are two new categories: Software Supply Chain Failures broadens the old components category to cover the full supply chain, and Mishandling of Exceptional Conditions is a fresh entry drawn from the community survey. Server-Side Request Forgery, a standalone entry in 2021, has been folded into Broken Access Control, and on the rankings, Security Misconfiguration rose from fifth to second, while Cryptographic Failures, Injection and Insecure Design each moved down a place or two. Broken Access Control held on to the top spot.
The wider theme in 2025 is a shift towards root causes rather than symptoms, grouping weaknesses by what actually goes wrong rather than by how it shows up.
How to use the OWASP Top 10
The Top 10 is a starting point for secure development, not a finish line, and how you use it depends on your role.
Developers use it to learn the common failure modes, follow secure coding practices, and review their own code for these issues as they build. IT and security managers use it to shape policy, train their teams, and schedule regular audits so the same weaknesses do not keep reappearing. Penetration testers use it as one input when scoping and testing an application, then report findings against categories a client will recognise.
At Fortifi, every web application test we run is mapped against the OWASP Top 10, so you get results in a framework your developers and auditors already understand. If you want the detail, our full guide to web application penetration testing walks through how a test is scoped and delivered, and our penetration testing guide covers the wider picture.
The benefits of working to the OWASP Top 10
First and foremost, it raises awareness, giving developers, managers and security staff a shared, current picture of the risks that matter most. Secondly, it improves security practice, acting as a practical checklist to guide secure coding and testing. Finally, it supports compliance, since standards such as PCI DSS reference OWASP Top 10 coverage as accepted evidence of secure development, whatever sector you work in. Obviously, the OWASP Top 10 has many more benefits, but these are out top three.
Common misconceptions about the OWASP Top 10
For all its usefulness, the OWASP Top 10 is not without its misconceptions.
The first is treating the list as the complete set of web application risks, when it’s not. Yes, it captures the most critical and common ones, but a secure application has to account for plenty of risks beyond these ten.
The second is assuming that fixing these issues once keeps you safe. Threats change, new weaknesses appear, and the list itself is reissued every few years, as the 2025 update shows. The Top 10 belongs inside an ongoing security programme, not a one-off checklist.
The third is thinking that reading the list is enough, when, in reality, turning its general guidance into specific controls takes real work, tailored to how your own applications are built and run. That usually means changes to workflows, training and tooling, which is where a good testing partner helps.
What to do next
The OWASP Top 10 is a data-driven awareness document that highlights the most critical and common web application security risks, refreshed every three to four years. The 2025 edition brings two new categories, folds SSRF into Broken Access Control, and reshuffles the rankings, all of which tracks how modern applications are built and attacked. It will not catch every risk on its own, but as a shared reference for secure development and testing, it is something every team building web applications should know.
Ready to see how your applications hold up against the 2025 list? Fortifi’s web application penetration testing maps every test to the OWASP Top 10 and shows you exactly what to fix. Book a call to get started.