The Open Web Application Security Project (OWASP) provides a top ten list of security risks in web applications, and the 2025 candidate list is now available. I previously wrote about the OWASP Top Ten back in 2022 with reference to the 2021 list, so how does the 2025 OWASP Top Ten compare?
| Position | OWASP 2021 | OWASP 2025 |
| 01 | A01 Broken Access Control | A01 Broken Access Control |
| 02 | A02 Cryptographic Failures | A02 Security Misconfiguration |
| 03 | A03 Injection | A03 Software Supply Chain Failures |
| 04 | A04 Insecure Design | A04 Cryptographic Failures |
| 05 | A05 Security Misconfiguration | A05 Injection |
| 06 | A06 Vulnerable and Outdated Components | A06 Insecure Design |
| 07 | A07 Identification and Authentication Failures | A07 Authentication Failures |
| 08 | A08 Software and Data Integrity Failures | A08 Software or Data Integrity Failures |
| 09 | A09 Security Logging and Monitoring Failures | A09 Logging and Alerting Failures |
| 10 | A10 Server Side Request Forgery (SSRF) | A10 Mishandling of Exceptional Conditions |
Which OWASP Top Ten?
With the new candidate list out it may take some time for resources on the web to catch up. If a resource is referencing AXX:2021 (replacing XX with numbers 01-10) then it is the OWASP Top Ten 2021. If it’s AXX:2025 (replacing XX with numbers 01-10) then it is the OWASP Top Ten 2025. However, if resources don’t use the AXX:YEAR format then look at the naming, for example logging failures were “Security Logging and Monitoring Failures” in 2021 and are “Logging & Alerting Failures” in 2025.
The Climbers
A02:2025 Security Misconfiguration, previously A05:2021 Security Misconfiguration has climbed 3 places from #5 to #2.
A03:2025 Software Supply Chain Failures, expands A06:2021 Vulnerable and Outdated Components, and climbed 3 places from #6 to #3.
The Fallers
A04:2025 Cryptographic Failures, previously A02:2021 Cryptographic Failures, has fell two places from #2 to #4.
A05:2025 Injection, previously A03:2021 Injection, has fell two places from #3 to #5.
A06:2025 Insecure Design, previously A04:2021 Insecure Design, has fell two places from #4 to #6.
Where has Server-Side Request Forgery (SSRF) gone?
Server-Side Request Forgery (SSRF), previously A10:2021 in the 2021 list has bene merged into Broken Access Control, A01:2025 in the 2025 list.
What is the new category?
With SSRF merging into Broken Access Control a new category has entered the list. A10:2025 Mishandling of Exceptional Conditions has entered the 2025 list at #10. What is Mishandling of Exceptional Conditions? Examples include improper error handling, failing open and logical errors.
How To Test Web Application Security
Tooling such as the Zed Attack Proxy (ZAP), previously known as OWASP ZAP, can be used to scan web applications for security vulnerabilities. The OWASP Project also has a testing guide.
More Details
The OWASP site is the go to for details on the Top 10 2025, and for previous lists. The 2025 is the 8th release of the list, they are not released yearly.