Holiday Skills Carnival:
 Buy 1 Get 1 Offer
AVAIL NOW
Days
Hours
Minutes
Seconds

What you need to know about the OWASP Top 10 2025?

Author by: Jayanthi Manikandan
Jan 12, 2026 708

Cyberattacks and breaches are nothing new, as they have been happening from time immemorial, and they will continue to happen in the future too. In fact, the sophistication of attacks is escalating with every passing year, and it is up to the community to erect corresponding defenses. 

What you need to know about the OWASP Top 10

As soon as the defenses are hardened, the hackers figure out other innovative ways to break the system. The result? Unimaginable ways to attack and breach systems. The recent Louvre Heist in Paris, France, shows that a heist can be done in just 7 minutes if planned and executed well. 

Security has always been and is always a cat-and-mouse game. The cat (the hacker in this context) is always trying to seize the most prized asset in any possible way, and the mouse (the security team) is always trying to hide the asset. In this ongoing game, wouldn’t it be nice if future attacks could be prevented? This is where the OWASP Top 10 security risks and vulnerabilities step in. The OWASP Top 10 vulnerabilities document has been created by the Open Web Application Security Project (OWASP). It lists the top 10 security risks after a lot of research (by sifting through nearly 2.8M applications!) and is a perfect reference document for developers of web applications. Developers can make note of these security risks when designing future applications, thereby promoting secure web development. 

Let us discuss the Top 10 security risks as listed by OWASP below:
1. Broken Access Control
‘Access control’ is a common security feature that ensures that only authorized individuals can access the corresponding resources. As an example, if a Facebook post is to be viewed only by ‘Friends’, it can be viewed only by ‘Friends’ and no one else. ‘Physical access control’ ensures that certain rooms within a building can only be accessed by individuals with certain authorization and access.

In this context, if the access gets broken and unauthorized individuals gain access to restricted resources, data can be stolen. This is the principle of ‘Broken Access Control’. In the ‘Broken Access Control’ type of vulnerability, hackers can break the access by changing the URL explicitly and maliciously accessing, modifying, or sharing restricted resources.

This can be prevented in a number of ways, but these are some key ways to prevent this: 

  • Deny by default and enable as needed (permissions are denied to all initially and given to roles only when needed). 
  • Access controls should be implemented on the server side and not on the client side. 
  • We cannot cure the problem if we cannot see it. Log all access control failures so that the developers can see them and address them immediately.

2. Security Misconfiguration
‘Security misconfiguration’ has moved from #5 in 2021 to #2 in the 2025 OWASP Top 10 released candidate version. This indicates that this type of vulnerability has been experienced more in the past four years, surging to #2 in the list of vulnerabilities.

Security misconfigurations are common as most of it is not done or is done with wrong configurations in a hurry. It is also possible that it is not set up from a security standpoint. A few of the security misconfigurations can be: 

  • The default passwords are not being changed. 
  • Permissions are being set incorrectly. 
  • Backward compatibility results in an insecure configuration. 

These are some cases of misconfiguration. As we can see, it is quite simple for hackers to take advantage of these commonly overlooked things and exploit them, commit attacks and breaches on a large scale. 

These are a few ways to prevent misconfiguration: 

  • Minimal is best. It is good to uninstall all unwanted applications and save them from the misconfiguration problem. 
  • All existing security configurations should be verified so that there is no backdoor for hackers to penetrate the system. 
  • All applications should be hardened across the entire technology stack.

3. Software Supply Chain Failures
Most applications now are dependent on multiple levels of collaboration through third-party vendors, software dependencies, and distribution infrastructure. It is thereby essential to keep track of security issues and vulnerabilities in all the dependencies as well. Software supply chain failures refer to vulnerabilities in the entire supply chain and different third-party vendors. It is a broader category for the 2021 OWASP Top 10 vulnerability, ‘Vulnerable and Outdated Components’.

Here are some things that can happen: 

  • If the software is not recently updated with the latest patches and fixes, then there is a distinct possibility that vulnerabilities can creep in.
  • Different teams might download software from different sources. This might result in yet another way that vulnerabilities can enter the system.
  • If all systems are not equally hardened across the software chain, it could result in failures as well.

Here are a few ways in which software supply chain failures can be avoided: 

  • Each organization should have an SBOM or ‘Software Bill of Materials’, which is a record of the software that the system uses and the different supply chain relationships. The different software that is present in a system can be libraries or modules (free or paid), open source or paid software. A SBOM can identify and detect vulnerabilities in these software modules. 
  • It is also good to eliminate all unused dependencies, unused files, and programs, thereby reducing supply chain failures since the attack surface has reduced.
  • Use all components from secure sources and encourage the same for other teams as well. 

4. Cryptographic Failures
‘Cryptographic failures’ has moved two spots down from the 2021 OWASP Top 10 vulnerabilities list. Typically, both ‘data at rest’ and ‘data in transit’ have to be encrypted. ‘Data at rest’ is encrypted at the application layer, and ‘Data in transit’ is encrypted at the Transport layer of the OSI model. The type of cryptographic algorithms that are used to encrypt them determines how safe or unsafe your data is. 

Here are some ways in which cryptographic failures can occur: 

  • If old or weak cryptographic algorithms are used, then it is good to review them and replace them with new and effective cryptographic algorithms. 
  • The crypto key management might not be done effectively, and problems like weak crypto keys, default crypto keys being used are some known weaknesses.
  • Encryption is not enforced in headers.
  • Sensitive information like passwords, session cookies, and health information is not stored with adequate security and encryption. 

Here are some ways in which it can be prevented: 

  • Upgrade to the latest and most effective cryptographic algorithms. Avoid deprecated cryptographic algorithms like MD5 and SHA1.
  • Store keys in cloud-based hardware security models. 
  • All sensitive data at rest like passwords, health information, credit card information must be encrypted.
  • It is a good idea to use authenticated encryption as well. 
  • Avoid storing sensitive data since what is saved can be stolen.
  • Make sure that everyone in the team is on the same page about these secure practices. 

5. Injection
We will move on to the next vulnerability, which made it to the top 10 of OWASP 2025, which is ‘Injection’. ‘Injection’ has moved from #3 in 2021 to #5 in 2025. 

From writing programming statements that are made to work to injecting malicious code into programming statements, technology has come a long way. And this is what precisely happens in an ‘Injection’ vulnerability. 

Here, hackers inject rogue code statements into a program’s input fields, and the program executes them, thinking they are normal code. The program may retrieve the entire set of records from a table, delete or modify records as well because of this ‘malicious injection’.

Some of the injections that are done are SQL injection, NoSQL injection, ORM injection, and EL injection. This happens mainly because the input fields are not validated, sanitized, and filtered. 

‘Injection’ vulnerabilities can be avoided by: 

  • Server side validation. 
  • Keeping data separate from commands and queries(this ensures that input data is just “data” and not executable code).

6. Insecure Design
Insecure Design has moved two slots down from 2021 OWASP list of vulnerabilities from #4 to #6. It is a known fact that vulnerabilities can creep in if the design of the system is itself flawed. It might not be the reason for the remaining nine vulnerabilities in the top 10 list, but design flaws nevertheless remain as a crucial point. 

Insecure design is again different from insecure implementation, as design and implementation are entirely different things. A secure design can have insecure implementation which will again give rise to vulnerabilities which can be exploited. An insecure design will not have a secure implementation which will again lead to the same issues. 

Here are some ways in which insecure design can be avoided: 

  • Threat model applications. 
  • Involve all the business units and collect the business requirements to make a secure application. 
  • Use design patterns that are secure to bolster the security of applications. 
  • It is also good to visualize any of the security mishaps ahead and incorporate any other secure design modifications if possible. 
  • Secure the software development lifecycle, monitor it, and adopt security practices through each phase of the SDLC.

7. Authentication Failures
Maybe the simplest way to attack a system is by means of passwords. Just implementing a password to lock the resources of a system is the single greatest vulnerability. In this type of vulnerability, if an attacker tricks the system into believing that they are genuine by different strategies like credential stuffing or password spraying, then they get into the system very, very easily. 

Authentication failures can be caused by: 

  • Credential stuffing: Here, commonly used passwords from the freely available “commonly used passwords list” are used in the input fields to access the system (and it may work!). 
  • Password spraying: Hackers just modify the breached set of passwords and slightly modify it according to normal human behavior. For example, “Cat1” could have been just renamed as “Cat2” and hackers can then access the resources easily. 
  • Lack of multi-factor authentication.
  • Enabling accounts to be secured with weak passwords.
  • Session timeouts are not being enabled correctly. 

Authentication failures can be prevented by: 

  • Enabling multi-factor authentication. 
  • It is also good not to use commonly used passwords.
  • Helping the public understand the importance of good password hygiene.
  • It is good to design systems with good password practices such that common hacks like password spraying and credential stuffing do not occur.
  • Designing session timeouts appropriately such that users are logged out immediately in all critical sites visited.
  • It is good to not ship applications for admins with default passwords.

8. Software or Data Integrity Failures
Software or Data Integrity Failures has changed its name from ‘Software and Data Integrity Failures’ in 2021 and continues to remain at #8 in 2025 as well. As applications become huge, the reliance on third-party apps, plugins, and libraries from unknown sources increases. This leads to the possibility of insecure code from the different sources infiltrating the system. This can be utilized by hackers to penetrate the system. 

Yet another possibility of ‘Software or Data Integrity Failures’ is when updates to software are done automatically without any verification of trusted and safe software. 

These failures can be prevented by: 

  • Employing Digital signatures: Using digital signatures will help to uphold the integrity of the software that is being downloaded, thereby reducing the risk of software and data integrity failures. 
  • A review process for code and configuration changes also reduces the software/data integrity failure risk. 
  • Not receiving unserialized or unencrypted data from unknown sources also helps. 

9. Logging and Alerting Failures
We cannot find and resolve failures if we don’t know about them. In this context, ‘Logging and Alerting Failures’ is yet another vulnerability in the OWASP Top 10 2025 list. 

Many times, it is the simple security habit of logging information that can prevent breaches and attacks. If the logins are correctly recorded, it can be used to react to security incidents quickly or to even prevent them in some cases.

How does this occur: 

  • No logging is done whether they are successful logins or failed logins.
  • The errors and failed logins if documented are not clear.
  • The error logs and failed logins may be subject to tampering as well.
  • Failed logins may not have been recorded at all, even though successful logins may have been recorded.
  • The login data may not have been analysed. 

These can be prevented by: 

  • Ensuring that all logging is done appropriately whether it is successful or not.
  • Logs should be generated in such a way that log management is easy.
  • Log data should be encoded such that the injection attack does not work on it.
  • Any suspicious activity should generate an alert so that the development team can create mitigation strategies. 

10. Mishandling of Exceptional Conditions
Mishandling of Exceptional conditions is the newest vulnerability that has been listed for OWASP 2025. In this case, when an application encounters an error, there are three things that occur. 

  • It is not prevented. 
  • It does not identify the error or the exception.
  • It is not handled properly if it is detected. 

If a condition is mishandled, hackers will take advantage of the error or the mishandling and penetrate the system or cause other physical or monetary damages. There are different kinds of vulnerabilities that can creep in because of the mishandling such as logic bugs, race conditions, buffer overflow, memory issues and more.

These can be prevented by formulating a technique similar to ‘try-catch’ exception handling in programming: 

  • Each place where an error might arise, it can be handled appropriately in a user understandable way through exception handlers. 
  • There can be global exception handlers as well.
  • It is a better idea to prevent such errors, by providing input validation and sanitization in the first place.
  • All errors should be logged, monitored, handled and alerted for future use.

These are the OWASP Top 10 2025 Web application security risks.

TRAINING CALENDAR of Upcoming Batches For RedTeam

Start Date End Date Start - End Time Batch Type Training Mode Batch Status
04-Apr-2026 06-Jun-2026 19:00 - 23:00 IST Weekend Online [ Open ]

Red Team Operations_Blog Footer 820x120px

TOP