BETA Shoulder is in beta — Findings may sometimes be wrong. Your feedback shapes what we fix next. Share feedback
Shoulder.dev

Understand what every change actually did to your system.

OWASP Top 10 2025

The OWASP Top 10 is the standard awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications.

Version: 2025 2021
10 Categories
221 Mapped CWEs
#1 🔓

Broken Access Control

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of data. Now includes SSRF.

35 CWEs 57 rules 13 critical
#2 ⚙️

Security Misconfiguration

The application might be vulnerable if it is missing appropriate security hardening or has improperly configured permissions on cloud services.

20 CWEs 18 rules
#3 📦

Software Supply Chain Failures

Expanded from 'Vulnerable and Outdated Components' to address broader supply chain risks including unknown vulnerabilities introduced by third-parties, compromised packages, and build system attacks.

9 CWEs 9 rules
#4 🔐

Cryptographic Failures

Failures related to cryptography which often lead to sensitive data exposure. This includes using weak algorithms, improper key management, and missing encryption.

31 CWEs 35 rules 8 critical
#5 💉

Injection

Injection flaws occur when an application sends hostile data to an interpreter. This includes SQL, NoSQL, OS command, ORM, LDAP, and Expression Language injection.

33 CWEs 49 rules 16 critical
#6 📐

Insecure Design

Insecure design is a broad category representing different weaknesses, expressed as missing or ineffective control design. This is distinct from implementation flaws.

40 CWEs 18 rules 1 critical
#7 🔑

Authentication Failures

Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks.

21 CWEs 26 rules 2 critical
#8

Data Integrity Failures

Data integrity failures relate to code and infrastructure that does not protect against integrity violations, including insecure deserialization and unsigned updates.

10 CWEs 11 rules 3 critical
#9 📊

Security Logging and Alerting Failures

This category helps detect, escalate, and respond to active breaches. Without logging and alerting, breaches cannot be detected in time to respond.

5 CWEs 10 rules
#10 ⚠️

Mishandling of Exceptional Conditions

A new category containing 24 CWEs focusing on improper error handling, logical errors, failing open, and other scenarios stemming from abnormal conditions that systems may encounter.

24 CWEs 15 rules 1 critical

Scan for OWASP Top 10 Vulnerabilities

Shoulder detects patterns across multiple OWASP categories. Run a scan to find issues in your codebase.

npx @shoulderdev/cli trust . Ecosystem Intelligence →