Awareness for Web Security: The OWASP Top Ten 2025

Contents

The Open Worldwide Application Security Project (OWASP) presented the first release candidate of the OWASP Top Ten 2025 at its "Global AppSec USA" conference: the list of the biggest security risks for web applications. The last list was published four years ago, a long time in the fast-paced world of web development. Reason enough to take a look at the innovations in the eighth edition.

Christian Wenz

Christian Wenz has been working professionally in web security for 25 years and has been a contributor to Heise for almost as long. He advises corporations and companies and supports development teams in all matters relating to cybersecurity. With the digital agency Arrabiata Solutions GmbH, he ensures secure line-of-business applications.

Top 1 to 3

The first three list items of the OWASP Top Ten 2025 were also the risks that occurred most frequently by far in previous editions. Especially with the old and new number one, "Broken Access Control," this is due to the large number of Common Weakness Enumerations (CWEs), the numbering system for security vulnerabilities and risks, which forms the basis of the OWASP Top Ten. A staggering 40 of these are assigned to this category – a new record. This is also one of my personal criticisms of the Top Ten: the category is very broad and includes outdated classics like "Path Traversal" as well as generalities like "Improper Access Control" and "Improper Authorization," along with Cross-Site Request Forgery (CSRF) and Server-Side Request Forgery (SSRF). In practice, Broken Access Control manifests itself, among other things, in guessed IDs in the URL, unsecured endpoints ("No one guesses that they exist!"), and other violations of the basic rule "Access control, everywhere."

Item 2 is "Security Misconfiguration," meaning a lack of configuration. This is by no means purely an administration or operations issue, as this category includes not only hardening the operating system and server software but also application-specific settings, such as what happens with error messages (classic: send directly to the client, i.e., the attacker). The use of security-relevant HTTP headers is also included, such as Content Security Policy and Referrer Policy. The existence of such headers can be trivially checked, which is why their absence is criticized in every audit report, regardless of the quality of the pentest. Setting these headers is therefore a win-win situation: the application is more secure, the report is shorter. This category has moved up three places compared to the last edition in 2021, which can be explained by the increasing configurability of web applications.

Place 3 is "Software Supply Chain Failures," previously called "Vulnerable and Outdated Components" in the predecessor edition and ranked 8th there. The steep rise is explained by the ever-increasing dependence on software packages. In 2025 alone, there were numerous incidents where, for example, libraries and dependencies were compromised with malware: extensions for Visual Studio Code, npm packages (including by Shai-Hulud and Shai-Hulud 2), and many more. There is no simple solution: updating all software dependencies immediately after their release could have led to disaster in the mentioned cases, as the malware was present in the new versions. However, refraining from updates or postponing them for a long time is also not a solution – the clock is ticking as soon as a security vulnerability becomes known. A frequently adequate strategy is to deploy new versions quickly and additionally ensure high automated test coverage to have the greatest possible certainty that everything continues to function as desired during updates.

JavaScript Conference: enterJS 2026

The enterJS 2026 will take place on June 16 and 17 in Mannheim. The program will revolve around JavaScript and TypeScript, frameworks, tools and libraries, security, UX, and more. Discounted Blind-Bird tickets are available until the program starts.

In contrast to the 2021 edition, this category is now broader – not only dependencies but the entire infrastructure for creating and distributing an application, i.e., the complete supply chain, is included. The high position on the list results not from the underlying data but from a separate survey on which security aspects are underrepresented in pentests (see section "Development Process of the OWASP Top Ten"). Some supply chain risks are difficult to test within an audit, but a look at current attacks shows that the problem is real, but not sufficiently reflected in the data.

Top 4 to 6

At number 4 on the 2025 OWASP Top Ten is "Cryptographic Failures," down two places compared to 2021. This can be explained, among other things, by the fact that the widespread use of HTTPS has largely prevailed, including flanking measures such as restricting cookies to a secure transport path (secure flag) and enforcing HTTPS through HTTP Strict Transport Security (HSTS), a mechanism via HTTP header and thus also a candidate for category 2, "Security Misconfiguration." Browsers can even communicate exclusively via HTTPS with pre-registered domains automatically (see Figure 1). The insecure storage of passwords, for example with MD5 hash or even in plain text, also occurs much less frequently in audits.

List item number 5 is "Injection." For the first time in the history of the OWASP Top Ten, this item is not in the Top 3. Up to and including 2017, the category was specifically called "SQL Injection," named after an attack older than the web itself. And indeed, injecting malicious SQL is by no means as widespread as it was in the 1990s and even the 2000s. Nevertheless, "Injection" has held its own in the Top Ten so far. In 2021, this was only possible through a trick by OWASP: they not only renamed the category from "SQL Injection" to "Injection" but also significantly expanded it: by the perennial favorite XSS (Cross-Site Scripting). This is thematically correct – even if the category name doesn't suggest it – because XSS typically involves injecting malicious HTML markup or JavaScript code. Thus, an injection is present.

The decline in SQL injection prevalence is not only since classic countermeasures like prepared statements or parameterized queries should now be common knowledge (even if this is not always the case in reality). In many applications, SQL is no longer used explicitly but only implicitly: the application communicates with the database via an object-relational mapper like Hibernate, Entity Framework Core, or Doctrine, which, while not making SQL injection impossible, makes it much more difficult.

XSS, on the other hand, is an ongoing problem, but there are now better countermeasures than in 1998, when the term was coined. Many frameworks include protection concepts, for example, output escaping in single-page application technologies like Angular, React, or Vue.js. With Content Security Policy, there is a defense-in-depth mechanism that, while not closing XSS vulnerabilities, can make their exploitation very difficult to impossible. The Trusted Types API offers some protection against XSS, especially for JavaScript-based web applications. However, it is not yet available in the Firefox browser without extra configuration.

Somewhat disappointing, in turn, is item 6 of the OWASP Top Ten, which was at number 4 four years ago: "Insecure Design." Indeed, insecure software design is a major risk, and it makes sense to include security as early as possible in the software development process according to the "Shift Left" paradigm, but this list item is not concretely tangible. A countermeasure to "insecure design" would be "secure design."

Top 7 to 10

Place 7 on the OWASP Top Ten 2025 is "Authentication Failures," a bit more tangible than the category in the 2021 edition, which was "Authentication and Authentication Failures." Here, almost as many CWEs are gathered as in place 1, a total of 36. Authentication has many facets on the web, be it sessions – including associated attacks, even if these are often very well preventable in modern browsers, or more modern mechanisms like OpenID Connect. While the latter has good support in various frameworks, including certified implementations, the complexity also harbors risks, which are reflected in the category's placement in the OWASP Top Ten.

At number 8 is "Software or Data Integrity Failures" – in 2021, it was "and" instead of "or" in the title. This category essentially deals with checking integrity at every point, for example, before and after each step in the CI/CD pipeline. When deserializing, it is also important to always check for a specific target data type; earlier editions of the OWASP Top Ten even had their own item, "Insecure Deserialization," which has lost relevance due to partly better default settings in frameworks.

A small but fine security feature is suitable for many web applications that use JavaScript, especially if this code comes from a Content Delivery Network (CDN) (which is not optimal regarding a Content Security Policy, see item 5). Modern browsers support Sub-Resource Integrity (SRI), which essentially refers to the integrity attribute for <script> and <link> tags. It contains the hash value of the expected JavaScript or CSS resource (Figure 2 shows an example from the Bootstrap documentation). If, for example, a CDN is breached and JavaScript files are compromised with malware, the hash changes, and the browser refuses to execute the code.

Continuing with "Logging and Alerting Failures" at number 9, as it was four years ago (with slightly different naming – "Monitoring" instead of "Alerting"). This also sounds like a no-brainer: of course, logging is done. However, it's similar to the statement "I have a backup," where without a restore attempt, there's no certainty whether the backup was successful. Analogously, logging alone is insufficient. The logs must also be checked. In case of errors or anomalies, an alerting plan or escalation chain is required. And of course, in 2025, classics like "application is down, logs have filled the hard drive" still occur. With consistent monitoring, this would have been noticed earlier.

The tenth entry on the 2025 OWASP list is a newcomer, the result of the separate survey (see section "Development Process of the OWASP Top Ten"): "Mishandling of Exceptional Conditions." This, therefore, concerns insufficient exception handling. An overlap with other categories is obvious. OWASP, for example, mentions the display of detailed error messages as a possible attack scenario. This is correct, but theoretically also fits into item 2, "Security Misconfiguration." Other risks (examples given are transactions not correctly rolled back in case of errors or resources not released, which are partly already mitigated by the respective systems and frameworks (transactions in databases, garbage collector). This does not mean that the risk is impractical, but perhaps other points would have deserved the "bonus spot" in the Top Ten, such as unlimited resource consumption or AI risks.