Web application security

The OWASP Top 10 is updated approximately every three to four years based on analysis of real vulnerability data from hundreds of organisations. The 2025 edition, released in November 2025, retains Broken Access Control at A01 and elevates Software Supply Chain Failures to A03 - reflecting the SolarWinds, MOVEit, and xz-utils incidents. Injection dropped from A03 to A05 as parameterised queries and ORMs became more widely adopted. Two entirely new categories were added. The ten categories are:

• A01:2025 Broken Access Control - privilege abuse, BOLA, missing deny-by-default
• A02:2025 Security Misconfiguration - default credentials, verbose errors, cloud misconfiguration (up from A05:2021)
• A03:2025 Software Supply Chain Failures - compromised dependencies, unsigned updates, insecure CI/CD (new name, elevated from A08:2021)
• A04:2025 Cryptographic Failures - weak encryption, data exposure (moved from A02:2021)
• A05:2025 Injection - SQL, LDAP, command injection (dropped from A03:2021)
• A06:2025 Insecure Design - missing threat modelling, insecure architecture
• A07:2025 Authentication Failures - weak passwords, missing MFA (renamed from "Identification and Authentication Failures")
• A08:2025 Software or Data Integrity Failures - unsigned updates, insecure deserialization
• A09:2025 Security Logging and Alerting Failures - missing audit trails (renamed: "Monitoring" → "Alerting")
• A10:2025 Mishandling of Exceptional Conditions - error handling failures, uncaught exceptions (entirely new)

Note: SSRF, which was A10:2021, is now addressed under A02 (Security Misconfiguration) and A06 (Insecure Design) in the 2025 edition.

Broken Access Control covers any scenario where a user can act outside their intended permissions, including vertical escalation (accessing admin functions) and horizontal escalation (accessing another user's data). OWASP reports 94% of tested applications had some form of broken access control.

The most reliable mitigation pattern is deny-by-default: all access is denied unless a positive authorisation decision exists for the combination of principal, resource, and action. Access control must be enforced server-side on every request. Client-side controls such as hidden fields, disabled buttons, and JavaScript checks are trivially bypassed.

A04:2025 Cryptographic Failures (formerly A02:2021 "Sensitive Data Exposure") covers: data transmitted in cleartext over HTTP, passwords hashed with MD5 or SHA-1 (both unsuitable due to speed; use bcrypt, Argon2, or PBKDF2), symmetric encryption using ECB mode (reveals plaintext patterns), and hard-coded cryptographic keys in source code. In June 2021, the RockYou2021 compilation of approximately 8.4 billion credential pairs revealed how widespread unsalted MD5 password storage was: MD5 can be computed at billions of hashes per second on consumer GPU hardware.

A05:2025 Injection occurs when untrusted data is sent to an interpreter as part of a command or query. The vulnerable pattern: concatenating user input into a SQL string. The correct pattern: a parameterised query that binds user input as data. If the input admin' -- is supplied to a concatenated query, it becomes a SQL comment that removes the password check. In a parameterised query, the same input is treated as a literal string and returns no results. LDAP injection, command injection, and template injection follow the same pattern: parameterise or use a safe API that separates code from data.

XSS attacks inject malicious scripts into web pages viewed by other users. Three variants exist:

• Stored XSS: malicious script is persisted in the server's data store and served to all users who view the affected content. Highest impact because it affects every visitor without requiring a crafted link.
• Reflected XSS: malicious script is embedded in a URL parameter and reflected in the server's response. Requires the victim to click a crafted link. Search result pages that echo back the query term without escaping are a common vector.
• DOM-based XSS: the attack occurs entirely in the browser. Client-side JavaScript reads from a source (such as location.hash) and writes to a sink (such as innerHTML) without sanitisation. DOM-based XSS bypasses server-side encoding mitigations entirely.

Mitigation strategy: (1) output encoding using context-aware libraries such as OWASP Java Encoder or DOMPurify; (2) Content Security Policy header restricting script execution to approved sources; (3) HttpOnly cookies preventing JavaScript from reading session tokens even if a script executes.

Server-Side Request Forgery (SSRF) causes the server to make HTTP requests to an arbitrary destination, typically an internal network address or cloud metadata service, that the attacker cannot reach directly. In cloud environments, AWS, Azure, and GCP all expose an Instance Metadata Service at 169.254.169.254. A successful SSRF against an EC2 instance can retrieve the IAM role credentials attached to that instance.

In July 2019, Paige Thompson exploited SSRF via a misconfigured AWS WAF protecting a Capital One EC2 instance. The server-side request reached the IMDS endpoint and retrieved IAM role credentials, enabling download of over 106 million customer records from S3 buckets. Capital One was fined $80 million by the OCC in 2020. Mitigations: validate and allowlist outbound request targets; block requests to private IP ranges (RFC 1918) and link-local addresses (169.254.0.0/16); use AWS IMDSv2 which requires a PUT request before metadata can be read.

Security response headers that every application must include: Content-Security-Policy (restricts script origins, mitigates XSS), Strict-Transport-Security (forces HTTPS, prevents SSL stripping), X-Frame-Options: DENY (blocks clickjacking), X-Content-Type-Options: nosniff (prevents MIME-type attacks), Referrer-Policy: strict-origin, and Permissions-Policy (restricts browser API access). These headers must be applied to every origin, not just login pages.