The OWASP Top 10 is the most cited list in application security. Most engineers can name a few categories; few can describe how attackers actually exploit each one in 2025. This is the practical walkthrough.
Number one for a reason. In 2024 we reported broken access control on over 70% of web app engagements. The classics still dominate: IDOR (changing a numeric ID to access another user’s data), missing function-level authorization (admin endpoints reachable as a normal user), JWT manipulation (claim tampering, algorithm confusion), and CORS misconfiguration exposing authenticated endpoints to malicious origins. Test every endpoint with every role — not just “does it 200 OK,” but “does it return data it shouldn’t.”
Formerly “Sensitive Data Exposure.” In practice this category is dominated by: weak TLS configurations (TLS 1.0/1.1 still alive on internal services), passwords stored with fast hashes (MD5, SHA-1, even raw SHA-256), JWT signed with HS256 using a known secret, and PII transmitted in URL query strings (logged everywhere).
SQL injection still pays the bills for many attackers — not because it’s common in greenfield apps, but because it lives forever in legacy reporting modules and admin tooling. NoSQL injection (MongoDB, Elasticsearch operators), command injection in CLI wrappers, and template injection in server-side renderers round out the category. Parameterized queries are not enough on their own; secure your ORM’s raw query API.
The newest category, and the hardest to test for. Insecure design covers business-logic flaws that no scanner finds: race conditions in payment workflows, multi-step process abuse, mass assignment in JSON updates, and trust-boundary violations between microservices. Threat modelling at design time is the only durable defence.
Default credentials on management interfaces, verbose error messages leaking stack traces, S3 buckets with public-read enabled, missing security headers, debug endpoints in production. Automatable to a point — nuclei and CIS-aligned scanners cover the easy wins, but the high-impact misconfigurations always require manual review.
The supply-chain category. Pin your dependencies, scan continuously (Trivy, Snyk, Dependabot), and have a process to actually act on findings. The 2024 XZ Utils backdoor demonstrated that even “up-to-date” can include malicious code. SBOM generation and signature verification are no longer optional.
Account enumeration, predictable password reset tokens, MFA bypass via downgrade or token replay, session fixation in stateful APIs, and credential stuffing without rate limiting. WebAuthn / passkeys are the long-term answer; in the meantime, deploy CAPTCHA + adaptive MFA + IP / device intelligence.
Insecure deserialization (Java readObject, Python pickle, PHP unserialize) is the marquee bug. Beyond that: unsigned auto-update channels, CI/CD pipelines that pull untrusted dependencies at build time, and admin pages that import config from URLs. Treat your build pipeline as production.
If your SIEM doesn’t see authentication events, authorization decisions, and sensitive data access, you have a logging failure. Verify that your logs are tamper-evident, retained per regulatory minimums, and that someone is actually paged on alert. We measure this directly in red team engagements.
SSRF reached the Top 10 in 2021 thanks to cloud metadata abuse. The classic pattern: an image-upload feature accepts a URL, the server fetches it, and an attacker swaps the URL for http://169.254.169.254/latest/meta-data/iam/security-credentials/ to harvest IAM credentials. Defence requires both allowlist-only outbound DNS and IMDSv2 enforcement on AWS.
The Top 10 is a vocabulary, not a checklist. A real penetration test goes deeper than category coverage — chaining low-severity findings into critical exploits, testing every role against every endpoint, and validating business-logic invariants. Pair the Top 10 with OWASP ASVS Level 2 for requirements, OWASP WSTG for test cases, and an annual manual web application penetration test for assurance.
Free 30-minute scoping call. Tailored proposal within 24 hours. NDA available on request.