# OWASP Top 10 2025

The OWASP Top 10 is a standard awareness document for web application security.

Available versions: 2025, 2021

## Coverage

- Total rules: 0
- Critical rules: 0
- CWEs covered: 0

## Categories

### 1. Broken Access Control (A01:2025)

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of data. Now includes SSRF.

- CWEs: 35
- Detection rules: 57
- Critical rules: 13

### 2. Security Misconfiguration (A02:2025)

The application might be vulnerable if it is missing appropriate security hardening or has improperly configured permissions on cloud services.

- CWEs: 20
- Detection rules: 18

### 3. Software Supply Chain Failures (A03:2025)

Expanded from 'Vulnerable and Outdated Components' to address broader supply chain risks including unknown vulnerabilities introduced by third-parties, compromised packages, and build system attacks.

- CWEs: 9
- Detection rules: 9

### 4. Cryptographic Failures (A04:2025)

Failures related to cryptography which often lead to sensitive data exposure. This includes using weak algorithms, improper key management, and missing encryption.

- CWEs: 31
- Detection rules: 35
- Critical rules: 8

### 5. Injection (A05:2025)

Injection flaws occur when an application sends hostile data to an interpreter. This includes SQL, NoSQL, OS command, ORM, LDAP, and Expression Language injection.

- CWEs: 33
- Detection rules: 49
- Critical rules: 16

### 6. Insecure Design (A06:2025)

Insecure design is a broad category representing different weaknesses, expressed as missing or ineffective control design. This is distinct from implementation flaws.

- CWEs: 40
- Detection rules: 18
- Critical rules: 1

### 7. Authentication Failures (A07:2025)

Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks.

- CWEs: 21
- Detection rules: 26
- Critical rules: 2

### 8. Data Integrity Failures (A08:2025)

Data integrity failures relate to code and infrastructure that does not protect against integrity violations, including insecure deserialization and unsigned updates.

- CWEs: 10
- Detection rules: 11
- Critical rules: 3

### 9. Security Logging and Alerting Failures (A09:2025)

This category helps detect, escalate, and respond to active breaches. Without logging and alerting, breaches cannot be detected in time to respond.

- CWEs: 5
- Detection rules: 10

### 10. Mishandling of Exceptional Conditions (A10:2025)

A new category containing 24 CWEs focusing on improper error handling, logical errors, failing open, and other scenarios stemming from abnormal conditions that systems may encounter.

- CWEs: 24
- Detection rules: 15
- Critical rules: 1