OWASP Top 10:2025

In web development, access controls ensure that users do not act beyond their assigned permissions. Flaws in access control allow attackers to access resources for which they have no authorization. This can lead to uncontrolled data leakage, data manipulation, or complete system takeover. In 2025, the previously separate category of Server-Side Request Forgery (SSRF) was integrated here.

Typical examples:

• Direct access to third-party user data via URL manipulation

• Missing authorization checks in APIs

• Use of SSRF to query internal network resources

Security misconfigurations are the risk category that has risen the most in the 2025 list: from 5th place to 2nd place. This category includes errors in the configuration of security measures, such as missing or inadequate system hardening, incorrect access rights in cloud configurations, the use of default passwords, or unnecessary port openings. According to OWASP, approximately 3% of all tested applications are affected by this risk category.

Typical examples:

• Leaving unused features enabled

• Applying default configurations without modification

• Missing security updates or patches

This new category replaces and expands upon the previous “Vulnerable and Outdated Components” category from 2021. It covers the entire software ecosystem – from third-party libraries to build systems and CI/CD pipelines. When applications rely on plugins, libraries, or modules from untrusted sources, significant risks arise.

Typical examples:

• Compromised open-source packages (e.g., npm, PyPI)

• Malicious code injected into CI/CD pipelines

• Automatic updates without integrity checks

Cryptographic errors occur when sensitive data is transmitted or stored with insufficient encryption or no encryption at all. Passwords, credit card numbers, health data, personal information, and trade secrets require particularly high levels of cryptographic protection – especially when the information is protected by regulations such as the GDPR or PCI DSS.

Typical examples:

• Outdated encryption algorithms (e.g., MD5, SHA-1)

• Transmission of sensitive data without TLS encryption

• Weak or hard-coded keys

In injection attacks, attackers inject malicious code into an application, where it is executed as a command. The most well-known variants are SQL injection and cross-site scripting (XSS). All data stored within the application, as well as connected networks and services, are potentially at risk. The Myra WAF (Web Application Firewall) detects and blocks such injection attempts in real time.

Typical examples:

• SQL injection (database manipulation)

• XSS – Cross-Site Scripting (malicious code in the user’s browser)

• Command injection (executing operating system commands)

Insecure design refers to fundamental architectural and design flaws that arise as early as the planning phase. Insecure design is not tied to the implementation process, as even a perfect implementation cannot fix design flaws. This category emphasizes the need for threat modeling and secure-by-design principles.

Typical examples:

• Password reset function without rate limiting – unlimited input attempts are possible

• Display of error messages containing sensitive information

• Lack of role separation in the data model: User data is directly accessible via predictable URLs

Authentication failures allow attackers to take over other users' accounts and identities. The category previously known as “Identification and Authentication Failures” was renamed in 2025 to better reflect the 36 relevant CWEs.

Typical examples:

• Missing or weak multi-factor authentication (MFA)

• Use of hard-coded passwords or credentials

• Inadequate protection against brute force, credential stuffing, and credential cracking

This category covers vulnerabilities in software updates, critical data, and CI/CD pipelines whose integrity is not verified. This may allow attackers to inject malicious code and compromise systems. The risks are similar to those in category A03:2025 – Software Supply Chain Failures, but at a lower level.

Typical examples:

• Applications use plugins, libraries, or modules from untrusted sources

• Automatic updates without signature verification

• Insecure deserialization: untrusted objects are processed without validation, enabling remote code execution

Formerly known as “Insufficient Logging and Monitoring,” this category was renamed in 2025 to emphasize the importance of alerting for relevant log events. With logging alone and no alerting, active attacks remain undetected and can persist for weeks or months before being noticed.

Typical examples:

• Errors generate no or insufficient log entries

• Log integrity is not sufficiently protected against tampering

• Thresholds for alerts are incorrectly configured

This category, newly introduced in 2025, addresses improper error handling as a standalone security risk. If applications cannot prevent, detect, and respond correctly to exceptional situations, this may lead to crashes, unexpected behavior, or security vulnerabilities.

Typical examples:

• Application crashes upon unexpected input (e.g., null values, unusual character encodings)

• API responses contain SQL queries, internal IP addresses, or filenames in the event of an error

• Deliberately induced error states overload the application (DoS) due to missing timeouts or fallbacks