OWASP Top 10 2025: The Updated List Explained (A01-A10)

What the OWASP Top 10 2025 is, and what changed

The OWASP Top 10 is a community-driven awareness document that ranks the most critical security risks to web applications. Maintained by the Open Worldwide Application Security Project, it is refreshed roughly every three to four years from contributed application-testing data and a practitioner survey, so each edition reflects how attackers are actually behaving rather than abstract theory.

The 2025 edition keeps Broken Access Control at the top and continues to treat whole categories of weakness, not single bugs. The headline shifts are a sharper emphasis on insecure configuration across cloud and CI/CD, the elevation of software supply chain risk beyond just vulnerable components, and explicit attention to mishandled errors and exceptions that quietly leak data or fail open.

Because so many frameworks and regulators reference it, the Top 10 has become a de-facto baseline. India's CERT-In audit expectations, RBI and SEBI security requirements, the EU's NIS2 and DORA, and US enterprise security questionnaires all assume your applications have been tested against these categories. Treat the list as the minimum scope, not the finish line.

A01: Broken Access Control

Access control enforces what an authenticated user is allowed to do. It is broken when a user can act outside their intended permissions, viewing other customers' records by changing an ID in the URL, escalating to an admin role, or reaching APIs that should be off-limits. It has remained the most common and most damaging category across recent editions.

Mitigation: deny by default and enforce authorisation server-side on every request, checking ownership of the specific object being accessed rather than trusting client-supplied identifiers or hidden fields.

A02: Security Misconfiguration

Misconfiguration covers insecure default settings, unnecessary features left enabled, verbose error pages, missing security headers, open cloud storage, and unpatched or over-permissioned services. The 2025 edition gives it greater prominence because cloud, container and CI/CD sprawl multiply the number of places a single weak setting can expose data.

Mitigation: build hardened, repeatable configuration baselines as code, remove unused components and default accounts, and continuously scan running environments so drift is caught rather than discovered by an attacker.

A03: Software Supply Chain Failures

This category broadens the older 'vulnerable and outdated components' risk into the full software supply chain: third-party libraries, base images, build tooling, package registries and the pipelines that assemble them. A compromised dependency or build step can ship malicious code into your application before it ever reaches production.

Mitigation: maintain a software bill of materials, pin and verify dependencies, and secure the build pipeline itself, so that only reviewed, integrity-checked artefacts can be promoted to release.

A04: Cryptographic Failures

Cryptographic failures occur when sensitive data, passwords, payment details, health records, personal data subject to the GDPR or India's DPDP Act, is not properly protected in transit or at rest. Typical causes are missing encryption, weak or deprecated algorithms, hardcoded keys, and poor key management.

Mitigation: classify your data, enforce strong transport encryption everywhere, encrypt sensitive data at rest with current algorithms, and manage keys in a dedicated secrets or key-management service rather than in code or configuration files.

A05: Injection

Injection happens when untrusted input is interpreted as a command or query, allowing an attacker to alter program logic. SQL injection, NoSQL injection, OS command injection and cross-site scripting all sit here: the application mixes data and instructions instead of keeping them separate.

Mitigation: use parameterised queries and safe APIs that bind input as data, validate input against strict allow-lists, and context-encode output so user-supplied content can never be executed.

A06: Insecure Design

Insecure design is a flaw in the architecture itself, not in the implementation. Even perfectly written code cannot fix a missing security control that was never designed in, such as the absence of rate limiting on a money-transfer flow or a password-reset process that can be abused to take over accounts.

Mitigation: apply threat modelling early, define security and abuse-case requirements alongside functional ones, and use secure design patterns so the right controls are present by design rather than bolted on later.

A07: Authentication Failures

Authentication failures let attackers compromise identities through weak credential handling: permitting weak or breached passwords, missing brute-force protection, predictable or poorly invalidated session tokens, and absent multi-factor authentication. The result is account takeover and credential-stuffing at scale.

Mitigation: enforce multi-factor authentication, check passwords against known-breached lists, rate-limit and monitor authentication endpoints, and generate, rotate and invalidate session tokens securely on the server.

A08: Software and Data Integrity Failures

Integrity failures arise when code or critical data is trusted without verifying it has not been tampered with: unsigned auto-updates, insecure deserialisation of untrusted objects, or CI/CD steps that pull artefacts without integrity checks. An attacker who can substitute a trusted source gains control of the application.

Mitigation: verify the integrity and provenance of code, updates and data using digital signatures, and never deserialise untrusted input without strict type controls and validation.

A09: Logging and Alerting Failures

This category covers insufficient logging, monitoring and alerting, the reason so many breaches go undetected for months. If authentication failures, access-control violations and high-value transactions are not logged, and alerts are not raised, an in-progress attack is invisible to defenders.

Mitigation: log security-relevant events with enough context to investigate, centralise and protect those logs, and wire them to real-time alerting and an incident-response process, an obligation reinforced by CERT-In's 180-day in-India log retention requirement.

A10: Mishandling of Exceptional Conditions

The 2025 edition draws explicit attention to how applications handle errors and exceptional conditions. Poor error handling can leak stack traces, internal paths and configuration details to attackers, or cause logic to fail open, granting access when a check errors instead of denying it. Both turn an edge case into a security event.

Mitigation: fail securely and closed, return generic error messages to users while logging full detail server-side, and test exceptional and unexpected inputs deliberately rather than only the happy path.

How IntelligenceX helps

The OWASP Top 10 2025 is a map of where to look, but coverage only counts if your applications are actually tested against it. IntelligenceX assesses each category through manual-led services aligned to OWASP and provides developer-ready remediation, an approach that suits buyers across the UK, USA, EU and India.

Our Web Application Penetration Testing exercises every Top 10 category against your live application, from broken access control and injection to logging and exception-handling failures, with proof-of-concept evidence and a free remediation retest. Our Secure Code Review examines the source itself to catch cryptographic, injection and integrity flaws that black-box testing can miss. Our Threat Modeling addresses A06 Insecure Design head-on, surfacing missing controls before they are ever written into code.

For India-regulated organisations, this testing maps cleanly onto DPDP Act security-safeguard duties and CERT-In, RBI, SEBI and IRDAI expectations. To be clear on scope: IntelligenceX advises, assesses and prepares, and is not currently CERT-In empanelled; we do not issue certificates or sign regulator audits ourselves. Talk to our team to scope an assessment for your applications.