Introduction
The OWASP Web Application Security Top 10 is a list everyone knows, but not everyone truly reads. Yet, it is probably the most important free document available on web application security. The first update since 2021 was released at the end of 2025. We summarize what has changed and what that means for web security work.
OWASP stands for the Open Worldwide Application Security Project, a non-profit organization that has been publishing freely accessible resources related to application security since 2001.
The Top 10 is its most famous publication. Important: There are several lists—for APIs, mobile apps, LLM security, or ML. This article deals exclusively with the Web Application Security Top 10.
Rank 1 on these lists does not mean “most frequently occurring.” Instead, factors such as frequency, exploitability, and potential impact are combined. The list is also not a checklist to be ticked off, but rather should be understood as an overview of the most relevant risks for web applications today.
2021 vs. 2025: A Direct Comparison
| Rank | 2021 | 2025 |
| 1 | Broken Access Control | Broken Access Control |
| 2 | Cryptographic Failures | Security Misconfiguration ⬆ |
| 3 | Injection | Software Supply Chain Failures ✦ |
| 4 | Insecure Design | Cryptographic Failures ⬇ |
| 5 | Security Misconfiguration | Injection ⬇ |
| 6 | Vulnerable & Outdated Components | Insecure Design ⬇ |
| 7 | Authentication Failures | Authentication Failures |
| 8 | Software & Data Integrity Failures | Software & Data Integrity Failures |
| 9 | Security Logging & Monitoring Failures | Security Logging & Monitoring Failures |
| 10 | Server-Side Request Forgery | Mishandling of Exceptional Conditions ✦ |
✦ = new ⬆ = moved up ⬇ = moved down
What’s new?
A03 – Software Supply Chain Failures
This category originates from the former category “A06 Vulnerable & Outdated Components” and also incorporates part of A08. Instead of simply patching known CVEs, the following aspects now also count: npm packages, Python libraries, build tools, and CI/CD pipelines.
The 2020 SolarWinds attack demonstrated what is possible when attackers target the path to the application rather than the application itself. What is now expected: Software Bills of Materials (SBOMs), automated dependency checks, and clear rules on who is authorized to make changes to the build process.
A10 – Mishandling of Exceptional Conditions
Brand new, but what’s behind it? What happens if an external service doesn’t respond? If a database query produces a timeout? If the API sends back an empty response?
In such situations, many web applications leak internal error messages, crash in a way that attackers can exploit, or exhibit undefined behavior. This used to be more of a quality issue. With today’s reliance on microservices and external APIs, it is a security issue.
What has disappeared?
Server-Side Request Forgery (SSRF) still had its own spot at A10 in 2021. SSRF hasn’t disappeared—but it has been integrated into Broken Access Control (A01).
What does this mean in practice?
Broken Access Control remains at number 1; that hasn’t changed since 2021. Most critical findings in web pentests are related to access controls that are either missing or inadequately implemented—for example, on the client side.
However, the trend described by the 2025 list is different: away from individual bugs and toward systemic risk. Supply chain, configuration, error handling—these are not vulnerabilities that you close with a single patch. These are structural issues that must be addressed throughout the entire development process.
by Lucas Noki