Skip to main content
  1. Research & Techical Notes/

Exploring OWASP Top 10

·1623 words·8 mins
Nguyen Hoang Thanh Phong
Author
Nguyen Hoang Thanh Phong
Senior Information Assurance student at FPT University. Focused on Web vulnerability exploitation, AWS Security Architecture, and building automated penetration tooling
Table of Contents
Web Security Iaw301 - This article is part of a series.
Part 1: This Article

Objective
#

The objective of this lab is to explore the dynamics of the OWASP (Open Web Application Security Project) Top 10 list. We aim to understand how it has evolved over the years, why certain vulnerabilities move up in rank, and its real-world implications. Additionally, we will examine regional and industry-specific variations in the prevalence of these vulnerabilities and identify effective strategies for addressing them.


Question & Answer
#

1. How has the OWASP Top 10 evolved in recent years, and what are the key differences between the latest version and its predecessors?
#

  • The current version that defines the security standard is OWASP Top 10 2025.
  • The evolution from the 2021 to the 2025 version marks a major shift from individual software vulnerabilities to ecosystem-wide risks, with a particular focus on the software supply chain and how systems handle exceptional conditions.
  • SSRF Consolidation: Server-Side Request Forgery, previously ranked 10th in 2021, is now officially merged into Broken Access Control (A01:2025). This expanded definition further solidifies access control as the top risk.
  • Rise of Security Misconfiguration: Security Misconfiguration (A02:2025) has climbed to the #2 spot (from #5 in 2021). This is directly driven by the increasing complexity of modern software, which heavily relies on cloud environment configurations and automated architectures.
  • New Category:
    • Supply Chain: Software Supply Chain Failures (A03:2025) is a major addition that addresses vulnerabilities outside of custom-written source code. It covers compromises in third-party dependencies, build systems, CI/CD pipelines, and distribution infrastructure.
    • Exceptions: Mishandling of Exceptional Conditions (A10:2025) focuses on risks arising from poor exception handling. This can lead to sensitive information leakage via detailed error messages, unpredictable system crashes, or the creation of logical vulnerabilities for exploitation.
  • Decline of Traditional Risks: Cryptographic Failures dropped to the #4 position (A04:2025). Injection dropped to #5 (A05:2025) because modern Web Frameworks and ORMs handle default data escaping very effectively. Insecure Design fell to #6 (A06:2025), reflecting a clear improvement in the community’s awareness of Threat Modeling and secure architectural design.

2. What common factors cause vulnerabilities to rise in the OWASP Top 10 rankings? Are there specific trends or technologies driving these changes?#

  • Changes in the OWASP Top 10 rankings result from a combination of real-world testing statistical data and profound shifts in software architecture.
  • Methodological Factors: The more frequently a vulnerability appears in actual security assessment reports, the higher its ranking. Grouping specific vulnerabilities into broader categories helps these groups accumulate massive data and secure top positions. Furthermore, OWASP utilizes expert survey data to include emerging, highly destructive systemic risks that may not yet be heavily represented in CVE databases.
  • Cloud Architecture and IaC: The growing complexity of Infrastructure as Code and cloud environments has led to an explosion of errors in permission settings, open network ports, and default configurations, pushing Security Misconfiguration (A02:2025) to the top 2.
  • Dependency on Third-Party Ecosystems: The pressure for rapid deployment (Agile/DevSecOps) makes modern software heavily reliant on open-source libraries and CI/CD pipelines. Attackers now directly target these weak links instead of the main application, driving the surge of Software Supply Chain Failures (A03:2025).
  • API-First and Microservices: Distributing business logic across numerous microservices and APIs makes maintaining a consistent authorization mechanism extremely difficult. Dense internal network traffic turns SSRF into a dangerous weapon for data extraction, cementing the dominance of Broken Access Control (A01:2025).
  • Complex Distributed Systems: Modern systems must process massive amounts of data and logic. When facing poorly programmed unexpected scenarios, systems can easily crash or leak memory information, directly fueling the rise of Mishandling of Exceptional Conditions (A10:2025).
  • Modern Web Frameworks: Frameworks like React, Vue, Angular, and ORM tools automatically escape data by default. This eliminates most traditional XSS or SQLi errors, causing the Injection category to drop and giving way to system logic risks.

3. Can you provide real-world examples of data breaches or security incidents caused by OWASP Top 10 vulnerabilities? What were the consequences, and how could they have been prevented?
#

  • TalkTalk Attack (2015): The vulnerability was A05:2025 – Injection. Hackers injected malicious SQL code through an application endpoint to directly access the database. This resulted in the theft of personal data and bank details of 156,000 customers, a £400,000 fine, and an estimated £42 million in damages. To prevent this, it is mandatory to use Parameterized Queries (Prepared Statements) and absolutely avoid concatenating input data strings.
  • Equifax Data Breach (2017): The vulnerability was A03:2025 – Software Supply Chain Failures. The company failed to apply an available patch for an Apache Struts vulnerability (CVE-2017-5638). This exposed the data of 147 million users, caused billions of dollars in financial damages, and forced the CEO to resign. Mitigation involves building automated patch management processes and integrating Software Composition Analysis (SCA) tools into the CI/CD pipeline.
  • First American Financial Data Leak (2019): The vulnerability was A01:2025 – Broken Access Control. The system used sequential integers as record identifiers in URLs without checking authorization. Attackers simply changed this ID to view other people’s data. This exposed 885 million sensitive financial documents and resulted in a fine from the SEC. Prevention requires implementing Object-Level Authorization and replacing integers with unpredictable identifiers like UUIDs.
  • Capital One Attack (2019): The vulnerability was a combination of A02:2025 – Security Misconfiguration and A01:2025 – Broken Access Control (SSRF). A misconfigured WAF allowed hackers to exploit SSRF to access the AWS Metadata service, extracting server credentials. This exposed the credit card profiles of 106 million customers and resulted in an $80 million fine for Capital One. Prevention involves applying the principle of least privilege for IAM Roles on the Cloud, mandating the use of AWS IMDSv2, and strictly configuring Egress Traffic.

4. Are there regional or industry-specific differences in the prevalence of vulnerabilities within the OWASP Top 10 list? How do these differences impact security strategies and practices?
#

  • The prevalence of vulnerabilities in the OWASP Top 10 list varies significantly depending on industry characteristics and geographical regions.
  • Banking and Finance: The severity of A01:2025 (Broken Access Control) and A04:2025 (Cryptographic Failures) is consistently at the highest level. Attackers primarily target privilege escalation to manipulate transactions or decrypt card data.
  • Healthcare: Medical systems frequently use legacy software versions, making A02:2025 (Security Misconfiguration) and A01:2025 (Broken Access Control) critical weaknesses that lead to medical record leaks.
  • E-commerce and Retail: This sector frequently encounters A03:2025 (Software Supply Chain Failures) and A05:2025 (Injection). The industry utilizes numerous plugins, third-party payment gateways, and continuous data entry forms, creating a massive attack surface.
  • Europe and North America: Governed by strict regulatory frameworks (GDPR, CCPA), making raw data leak errors less common. However, as early adopters of Cloud-Native technologies, this region has a high rate of complex system vulnerabilities like A02:2025 (Security Misconfiguration) in AWS/Azure and A10:2025 (Mishandling of Exceptional Conditions).
  • Asia-Pacific (APAC) and Developing Countries: Extremely fast digital transformation combined with a shortage of DevSecOps personnel results in high rates of misconfigurations and classic vulnerabilities like Injection.
  • Impact on Strategy:
    • Domain-Specific Threat Modeling: These variations force organizations to abandon a “one-size-fits-all” approach and transition to a risk management mindset. Organizations must assess the value their application provides and identify potential threat actors. For example, a bank will focus on testing authorization logic, while an outsourced software company will focus on resolving CI/CD pipeline risks.
    • Resource Optimization: Enterprises do not apply the OWASP Top 10 mechanically; they use industry data to prioritize automated test cases or hire Pentesters to target vulnerability groups that pose the highest business risk to their organization.

5. What are the most effective strategies and best practices for developers and organizations to proactively address and mitigate the vulnerabilities outlined in the OWASP Top 10?
#

  • To address OWASP Top 10 risks, organizations and developers cannot rely solely on finding and patching bugs at the final stage. Instead, a systematic approach is needed, combining workplace culture, automated processes, and secure coding principles.
  • Organizational Strategy:
    • Shift-Left Security: Do not wait until the software is complete to pentest; integrate security checks into every phase of the SDLC from the initial planning and architectural design stages.
    • Threat Modeling: Before writing code, system architects and developers must collaborate and ask how the system could be attacked. This helps eliminate insecure design risks at the blueprint stage.
    • Shared Security Culture: Conduct regular secure coding training sessions for developers rather than delegating everything to the security team. Developers must understand how vulnerabilities like SSRF or Injection work to proactively prevent them while coding.
  • Developer Best Practices:
    • Zero Trust Input: Strictly validate all data from users, APIs, or external systems. Always use Prepared Statements or secure ORMs for databases to completely prevent SQL Injection, and absolutely avoid string concatenation to construct SQL queries.
    • Least Privilege: Grant only the specific, minimum privileges necessary for a user, service, or container to perform its specific task. Every API endpoint must verify if the currently authenticated user is authorized to access that specific data record (Object-Level Authorization) to block Broken Access Control and IDOR risks.
    • Supply Chain Management: Use SCA tools to scan open-source libraries for early vulnerability detection. Pin library versions and only update from reputable sources after verifying digital signatures.
    • Graceful Exception Handling: Catch all exceptions but never return detailed error messages (stack trace, database name, buggy line of code) to the end-user. External messages should only display generic information.
  • Automated Scanning Tools in CI/CD: Implement SAST (Static Application Security Testing) to scan static source code upon commit for issues like hardcoded passwords, missing encryption, or injection-prone syntax. Use DAST (Dynamic Application Security Testing) to simulate attacks on the running application in staging environments to find configuration or access control flaws. Utilize IaC Scanning to inspect Terraform, Kubernetes, and Docker configuration files prior to deployment to avoid opening dangerous ports or granting overly broad IAM permissions in the Cloud.
Web Security Iaw301 - This article is part of a series.
Part 1: This Article