The OWASP Top 10 is the closest thing application security has to a canonical reference. It drives security budgets, shapes compliance frameworks, and determines what penetration testers look for first. When the rankings shift, it reflects genuine changes in how applications are built, how they're attacked, and where defences are failing. The 2025 update tells a story about the industry's blind spots — and several of them might surprise you.
Why the Rankings Matter Beyond Compliance
The OWASP Top 10 isn't just a list. It's an empirical analysis of vulnerability data contributed by security firms, bug bounty platforms, and application security teams worldwide. Each entry represents thousands of real-world findings across hundreds of thousands of applications. When a category moves up, it means that vulnerability class is appearing more frequently, being exploited more effectively, or causing greater damage than before.
Compliance frameworks — PCI DSS, SOC 2, ISO 27001 — reference the OWASP Top 10 either explicitly or implicitly. Auditors use it as a baseline. Insurance underwriters consider it when assessing cyber risk. If your application is vulnerable to a Top 10 category, it's not just a technical finding — it's a business risk that affects your compliance posture, insurance premiums, and customer trust.
Broken Access Control Holds the Top Spot
Broken Access Control has remained at the number one position since it ascended in the 2021 revision, and the 2025 data reinforces why. This category covers every failure where users can act outside their intended permissions: accessing other users' data by modifying an ID parameter, escalating from a regular user to an admin, or bypassing function-level authorisation checks.
The persistence of this category at the top reflects a structural problem. Access control logic is scattered throughout application code. Every endpoint, every API call, every data query needs its own authorisation check. Unlike injection or XSS, which can be mitigated at the framework level, access control is business logic — and there's no generic middleware that solves it. Automated scanners struggle to detect it because they can't understand the business rules that define who should access what.
Real-world impact is severe. BOLA (Broken Object-Level Authorisation) in APIs alone accounted for the majority of critical API vulnerabilities reported through bug bounty programs in 2024. A single missing check on one endpoint can expose every record in a database.
Injection Falls but Doesn't Disappear
SQL injection held the top spot for over a decade. Its descent through the rankings isn't because it's solved — it's because modern frameworks handle parameterised queries by default. Developers using ORMs and prepared statements are protected without thinking about it. That's genuine progress.
But injection is broader than SQL. The category now encompasses OS command injection, LDAP injection, expression language injection, and NoSQL injection. As applications adopt new data stores and processing engines, new injection surfaces appear. Server-side template injection (SSTI) has become increasingly prevalent as template engines are used in more complex ways. The attack surface shifted, even if the fundamental principle — untrusted data interpreted as code — remains the same.
The lesson isn't that injection is solved. It's that the low-hanging fruit was addressed by better tooling, and what remains is harder to detect and often more dangerous.
Security Misconfiguration Continues to Rise
Security misconfiguration has expanded in both scope and ranking. This category covers default credentials, unnecessary services, overly verbose error messages, missing security headers, permissive CORS policies, and cloud infrastructure misconfigurations. It's the broadest category in the Top 10, and its rise reflects the reality of modern deployment.
Applications today are assembled from dozens of components, each with its own configuration surface. A Kubernetes cluster, a cloud storage bucket, a CDN, a serverless function, and a database — each needs correct security configuration. The default settings for most platforms prioritise ease of use over security. Teams that deploy without hardening end up with publicly readable storage, overly permissive IAM roles, verbose error pages that leak stack traces, and security headers that are simply absent.
What makes misconfiguration insidious is that everything works. The application functions correctly. Tests pass. Users don't notice. The only people who notice are attackers running automated reconnaissance across millions of domains, cataloguing which ones have their defences down.
Vulnerable and Outdated Components
The prominence of this category reflects the modern dependency reality. A typical web application has hundreds of direct and transitive dependencies. Each one is a potential vulnerability. When a CVE is published for a component you depend on, you're vulnerable from the moment of disclosure until the moment you update — and attackers monitor CVE feeds just like defenders do.
The challenge is scale. A single application might depend on 800 npm packages. Monitoring each one for vulnerabilities, determining which ones affect your specific usage, testing updates for compatibility, and deploying patches — this is a continuous process, not a one-time check. Organisations that fall behind on patching don't just have individual vulnerabilities; they have an accumulating backlog of known attack vectors that automated tools can exploit.
The 2025 update specifically calls out the risk of end-of-life components that no longer receive security patches at all. Libraries that are abandoned by their maintainers become permanent vulnerabilities in every application that depends on them.
Server-Side Request Forgery Gets Its Own Category
SSRF's inclusion as a standalone category — rather than being grouped under injection or misconfiguration — signals a paradigm shift. Cloud-native architectures have made SSRF far more dangerous than it was in traditional on-premise deployments. The cloud metadata service at 169.254.169.254 turns every SSRF vulnerability into a potential credential theft, and those credentials often provide broad access to cloud resources.
The data shows SSRF incidence increasing as more applications move to cloud infrastructure. Features like URL preview, webhook delivery, file import from URLs, and PDF generation create SSRF surfaces that developers often don't recognise as risky. The Capital One breach demonstrated the maximum severity of SSRF in cloud environments, and the pattern continues to appear in breach reports.
What the Rankings Tell You About Your Own Risk
The OWASP Top 10 is most useful not as a checklist but as a prioritisation guide. If you're allocating limited security resources, the rankings tell you where to focus first. Broken access control affects more applications than any other category. Security misconfiguration is the most broadly applicable because it spans every layer of your stack. Vulnerable components accumulate risk silently over time.
But the rankings also reveal what automated tools can and cannot find. Scanners excel at detecting misconfiguration, missing headers, outdated components, and injection. They struggle with broken access control, which requires understanding business logic. A comprehensive security strategy uses automated scanning for what it's good at and reserves manual testing for the logic-dependent categories.
ShieldReport scans your domain against the configuration and infrastructure categories in the OWASP Top 10 — security misconfiguration, missing headers, TLS weaknesses, and information disclosure — giving you an automated baseline so you can focus manual effort where it matters most.