What is OWASP Top 10

The OWASP Top 10 started in 2003 as a quick awareness sheet; two decades later, it is the data‑driven scoreboard for web application risk. In every release cycle, the project collects thousands of real vulnerability records and surveys of security engineers and then weights each category by prevalence, exploitability, detectability, and business impact.

OWASP regularly updates the list to reflect evolving threats, making it a cornerstone of web application security.

OWASP Top 10 2021 Overview

OWASP Top 10 2021 introduced some significant changes to the Top 10 list from 2017.

• Broken Access Control is now #1: 9 of 10 pentests reveal privilege-escalation paths, making authorization a top priority.

• Shift left to design & dependencies: Introducing categories like Insecure Design and Software & Data Integrity Failures was a start to push teams to threat model early and lock down supply-chain pipelines.

• XSS Merge: OWASP folded Cross-Site Scripting into A03 Injection.

Of all the applications tested by OWASP, 94% had broken access control, proving that even decades of SDL training haven't reduced its occurrence.

For a deeper dive into each of the 2021 categories, see our OWASP 2021 breakdown.

OWASP 2025 Top 10 Predictions

OWASP plans to release the list in the first half of 2025, and expectations are that the OWASP Top 10 2025 will emphasize "secure-by-design" ideas.

In 2021, OWASP already signaled this shift by introducing Insecure Design as a category focused on design-level weaknesses and the need for threat modeling and secure patterns.

Overall, there is a push towards avoiding vulnerabilities early rather than patching them later in production, a push towards shifting left.

Another expected change is consolidating overlapping categories to keep the list straightforward. OWASP has trended toward broader risk categories in recent cycles. The 2021 list folded Cross-Site Scripting into the general Injection category and merged XML External Entity issues into Security Misconfiguration.

2025 should be no different. Monitoring Failures (with few Common Weakness Enumerations mapped) might be absorbed into Insecure Design since lack of monitoring is fundamentally a design oversight.

Apart from restructuring, some new vulns have the potential to make it to the list.

1. Broken Access Control

This category has consistently ranked as one of the top web app risks. It covers failures to enforce proper user privileges, such as missing authorization checks or predictable object IDs that allow unauthorized data access.

CWEs that fall under this category are IDOR, forced browsing, file permission issues, etc. OWASP mentioned that Broken Access Control has 34 CWEs mapped to it and has more occurrences in applications than any other category. Researchers found some form of access-control weakness in 94% of the tested apps. This overwhelming prevalence is why it moved to #1 and will likely remain there in 2025.

• T-Mobile Breach:

  A case in point is the T-Mobile API breach disclosed in January 2023. Attackers accessed an exposed API endpoint without proper authentication, stealing the personal data of 37 million customers over two months.

  T-Mobile admitted the API "provided access to limited customer data" that should have been protected. While T-Mobile didn't fully disclose the technical details, security analysts note this is as a classic example of broken object-level authorization (a client could retrieve other users' data via an unauthenticated or improperly authorized request).

• Twitter Data Leak:

  In early 2023, 235 million user records were exposed. This stemmed from a flaw in a Twitter API introduced by a 2021 update. The API allowed an attacker to enumerate or link user accounts with email or phone numbers without proper rate limiting or checks.

  This design oversight (essentially, broken access control at the API level) enabled the scraping of a vast dataset of user info.

2. Injection

Despite safer ORMs and auto‑escaping frameworks, SQLi, XSS, SSTI, Command Injection, and NoSQLi are still huge issues.

Injection occurs when an application sends untrusted data to an interpreter without proper sanitization or binding, allowing attackers to execute unintended commands or queries. Some injection flaws include SQL injection, OS command injection, and LDAP/NoSQL injection.

• MOVEit Transfer breach:

  MOVEit is a managed file transfer web application used by hundreds of organizations. The attackers exploited the SQL injection flaw (CVE-2023-34362) in May 2023, gaining unauthorized access to MOVEit's database and ultimately installing web shell backdoors, enabling mass data theft from any organization running the vulnerable software.

  By October 2023, over 2,000 organizations were affected by this vector, impacting over 60 million individuals as the affected organizations dragged their clients into the breach. The financial toll was nearly $10 billion.

3. Insecure Design (and Lack of Monitoring)

Insecure design is based on more fundamental design and architectural weaknesses in applications than mere implementation bugs.

It refers to cases where developers did not consider security during the initial design of a feature or system, leading to gaps that a simple patch cannot fix. OWASP's rationale for adding this category was to encourage a "shift left" mindset. In other words, building security from the design phase could eliminate many security issues rather than retrofitting it later.

A classic example of insecure design is an application that lacks anti-automation controls by design – for instance, failing to impose any rate limits or captcha on sensitive operations. Such a design flaw doesn't violate a specific coding rule but opens the door for abuse (bots performing credential stuffing, data scraping, etc.).

It's hard to pinpoint real-world breaches solely to "insecure design" since design flaws often manifest as complex logic issues. However, there have been incidents that clearly stem from poor design decisions.

• Twitter API (2021-22)

  The Twitter API vulnerability we discussed earlier allowed anyone to run unlimited queries that linked email addresses to user accounts, which was a design oversight in the feature. This oversight let attackers scrape roughly 235 million user records in 2021-2022.

4. Identification and Authentication Failures

This category covers weaknesses in how identities are proven and maintained: weak password complexity requirements, missing multi-factor authentication, session ID leaks or not expiring sessions, and logic flaws in login or password reset flows.

This category actually saw a positive impact and went from #2 in 2017 to #7 in 2021, possibly thanks to the broader adoption of secure frameworks and libraries for authentication.

In 2023, the CircleCI breach (Jan 2023) involved stealing an employee's 2FA-backed SSO session token to penetrate the development platform's network, after which they could exfiltrate customer secrets.

In mid-2023, security researchers revealed flaws in implementing OAuth for specific Microsoft applications that could allow token forgery under particular conditions, essentially an authentication logic error.

This category shows that everything from password storage to session management to MFA enforcement must be correctly implemented. In most cases, the basics are what fail: databases of user credentials left in plaintext or predictable password reset tokens that attackers guess.

5. Cryptographic Failures (Sensitive Data Exposure)

Cryptographic failures involve weaknesses in protecting data in transit and at rest, from using outdated encryption algorithms or improper cipher modes to failing to encrypt sensitive data.

2021 changes shifted the focus of this category from data getting exposed (symptom) to poor use of crypto (the root cause).

• LastPass (2022-2023)

  Although it started as a compromise of the developer's credentials, the most critical failures were cryptographic.

  The attackers exfiltrated encrypted password vaults, and it emerged that many vaults relied on potentially insufficient PBKDF2 hashing iterations.

  In 2023, LastPass had to increase its PBKDF2 iterations and fix some legacy encryption practices, essentially correcting a cryptographic weakness that could have led to vault cracking.

Basic pitfalls of Cryptographic Failures:

• Using deprecated or weak cryptographic algorithms/protocols (e.g., MD5, SHA-1, DES, or legacy SSL/TLS versions).
• Misusing cryptographic primitives or modes (e.g., reusing initialization vectors (IVs) or nonces, using insecure cipher modes like ECB, or neglecting cryptographic integrity/authenticity checks).
• Inadequate protection of sensitive data at rest (such as storing passwords in plaintext or using unsalted, low-iteration hashes for credentials).
• Failing to enforce secure transport for data in transit (e.g., not using TLS everywhere or neglecting HSTS, which allows downgrade attacks to HTTP).

6. Security Misconfiguration

Security Misconfigurations include leaving default admin passwords in place, having directory listings open on a server, enabling debug or trace modes in production, misconfigured cloud storage buckets, improper CORS settings, verbose error messages revealing stack traces, and many more.

The surge of cloud services and containerized deployments has increased the ways misconfigs happen. In 2021, OWASP mentioned that 90% of applications tested had some form of misconfiguration issue.

These factors led to a rank upgrade for this category (it became OWASP A05:2021) and absorbed the prior XML External Entities risk into itself.

• Toyota

  The company disclosed a data breach affecting millions of customers caused by an improper cloud configuration on a developer system. The misconfiguration left customer and vehicle databases accessible without authentication for years.

7. Vulnerable and Outdated Components (Improper Asset Management)

Web apps usually rely on multiple third-party components and libraries, from open-source frameworks to commercial SDKs. The idea is that organizations must keep a record of their frontend/backend components and ensure they are promptly patched. In 2021, this category notably had no CVEs directly mapped in the OWASP data because it's more of a broad risk than a single weakness. Some of the most damaging attacks in recent years have been due to unpatched but known vulnerabilities.

• Log4Shell (CVE-2021-44228)

  Researchers disclosed a critical flaw in the Log4j logging library in late 2021. Throughout 2022 and well into 2023, attackers continued to exploit Log4Shell on systems that had not yet applied the fix. In fact, according to joint cybersecurity agency reports, Log4Shell was still among the top exploited vulnerabilities in 2023.

The primary issue with this category is not the Vulnerabilities themselves but the fact that many organizations are reluctant to upgrade even after a patch is available and actively broadcast.

8. Software and Data Integrity Failures

Software and Data Integrity Failures ensure that software updates and continuous integration/deployment (CI/CD) pipelines are trustworthy and not tampered with. OWASP created this category to address issues like insecure deserialization and supply chain vulnerabilities beyond using outdated components. It highlights the risks in our assumptions about software: assuming an update server is delivering legit code or that a pipeline is secure from the injection.

• 3CX Software

  In this attack, a nation-state actor compromised a trading software (X_Trader) and used it as a beachhead to infiltrate 3CX's network; they then implanted malware into 3CX's legitimate application updates.

  As Mandiant, who investigated, noted: "This is the first time [we have] seen a software supply chain attack lead to another supply chain attack." If someone breaks into your build pipeline or updates the signing process, they can turn your software into a trojan horse without your customers or even you realizing it. 3CX was distributing signed, malware-laced installers for weeks before detection. This incident perfectly echoes the 2020 SolarWinds Orion incident.

• npm and PyPI

  Recently, there was a surge in the number of malicious packages on both npm and PyPI. A PyPI package called web3-utils was tracking environment variables.

9. Algorithmic Denial of Service (ReDoS and Expensive Queries)

Given the recent ReDoS incidents, OWASP will likely include this category in the OWASP 2025 Top 10. Algorithmic DoS attacks exploit weaknesses in application algorithms or data processing logic to exhaust server resources with minimal input. The codebase usually has nothing wrong, but the vulnerability lies in the fundamental business logic itself.

For example, an attacker can provide specially crafted input to a regex engine, triggering worst-case catastrophic backtracking and consuming extreme CPU time. This can hang or slow the application dramatically for a single request.

Similarly, "expensive query" attacks (deeply nested GraphQL queries or unbounded database queries) abuse legitimate query features to force disproportionate work on the server side, leading to potential denial of service.

Although ReDoS large-scale incidents have been less frequent than Broken Access Control or SQL Injection, some

While ReDoS large-scale incidents are less common than injection flaws, developers have documented several algorithmic DoS vulnerabilities in recent years.

• ReDoS Vulnerability in Ruby on Rails

  In early 2024, developers found a ReDoS vulnerability in Ruby on Rails (Action Dispatch's Accept header parser). Rails 7.1.3.1 patched the issue (CVE-2024-26142) and the maintainers assigned it a score of CVSS 7.5.

• ReDoS Vulnerability in Node.js Library

  ReDoS in the popular Node.js library get-func-name (CVE-2023-43646), where an imbalance in parentheses in input could lead to “excessive backtracking” and CPU exhaustion.

• ReDoS Vulnerabilities in Cloudflare

  GraphQL APIs are another avenue for algorithmic DoS: Cloudflare reported that GraphQL queries (extremely deep nesting or querying vast amounts of data in one request) could "place a disproportional load on the origin" and effectively cause a denial of service.

  In response, Cloudflare's API Gateway added protections for "two of the most common GraphQL abuse vectors: deeply nested queries and queries that request more information than they should."

The OWASP API Security Top 10 (2023) introduced "Unrestricted Resource Consumption" as a category since unchecked use of CPU, memory, or bandwidth can quickly lead to many types of DoS scenarios in APIs.

10. HTTP Request Smuggling (HRS)

HTTP Request Smuggling exploits inconsistent parsing of HTTP requests between two or more servers (typically a frontend proxy/load balancer and a backend server). By crafting ambiguous HTTP request sequences, one can "smuggle" a malicious request through the frontend so that the backend interprets an entirely different request sequence. This desynchronization leads to multiple outcomes: capturing users' requests/responses, bypassing security controls, session hijacking, cache poisoning, or even remote code execution in some cases.

HRS has gained attention in recent years through research like James Kettle's "HTTP Desync Attacks," it continues to yield critical findings on modern platforms.

There have been multiple incidents of HTTP Request Smuggling in recent years.

• HTTP Request Smuggling in Google Cloud Platform

  An HRS variant dubbed TE.0 affected the Google Cloud Platform's load balancer and, by extension, thousands of websites behind it. By manipulating the Transfer-Encoding header, the team found they could compromise a wide range of GCP-hosted services, including Google's Identity-Aware Proxy, via request smuggling.

  This single technique opened a critical vulnerability in thousands of web applications, illustrating how severe HRS can be when common infrastructure is affected.

• HTTP Request Smuggling in BIG-IP

  A request smuggling flaw (CVE-2023-46747) in the F5 BIG-IP appliance, a high-end load balancer used by many enterprises.

  By sending specifically crafted requests, they achieved an authentication bypass on the BIG-IP’s management interface, leading to a compromise of an F5 system without credentials. This HRS bug was closely related to a prior smuggling bug (CVE-2022-26377). Notably, large organizations deploy F5 devices, so this vulnerability had a vast impact surface.

• HTTP Request Smuggling in Cloudflare

  Recently, Cloudflare revealed a request smuggling vulnerability in its new HTTP proxy software, Pingora. Cloudflare's free-tier CDN (which uses Pingora) was vulnerable to an HTTP/1.1 request smuggling attack (CVE-2025-4366).

  It could have caused visitors to Cloudflare sites to make subsequent requests to their servers and observe which URLs the visitor was initially attempting to access, essentially hijacking part of a user's session. Cloudflare mitigated the issue within 22 hours of notification and found no evidence of prior exploitation.

  Cloudflare stated, "We treat any potential request smuggling or caching issue with extreme urgency," given the risk of traffic misrouting and cache poisoning on their platform.

These were just a few examples of HTTP Request Smuggling; many more reports of HRS appear in standard software.

• Apache Tomcat had a long-standing request smuggling bug (in parsing the Transfer-Encoding header). Maintainers patched the bug in 2021 after it had gone unnoticed since 2015.

• In 2022, Node.js's core HTTP parser similarly had a smuggling bug (CVE-2022-35256) that could allow desync attacks against Node-based servers.

Beyond Top 10: Other Categories to Watch Out For

• AI/ML-related vulnerabilities

  There has been a surge in AI vulnerabilities, and looking at the number of applications using AI in their fundamental business logic, OWASP has released its Top 10 for LLMs and Top 10 for Machine Learning.

  Web apps integrating AI (chatbots, recommendation engines) might introduce new angles of attack like prompt injection or model poisoning. Top 10 likely won't list these explicitly in 2025 unless they become more relevant to typical web apps.

  However, it's still very critical to be aware of such vulnerabilities. If you are using the latest models for coding and more, we have a detailed guide on how to make your vibe coding more secure and reliable..

Apart from all the Vulnerabilities we discussed so far, there are always business logic bugs that are most nuanced to catch. Since they are not merely syntax bugs, you would need to completely understand the codebase to find them.

If you are curious about business logic bugs, you should check the business logic detection rate of ZeroPath and how it compares to other SAST tools.

Conclusion

We expect the OWASP Top 10 2025 to reinforce core issues like access control, injection, and secure configuration with a forward-looking lens that addresses how the threat landscape has moved. Emerging categories like secure design, HTTP Request Smuggling (HRS), ReDoS, supply chain integrity, race conditions, and more reflect the current blind spots.