Test your site against
the OWASP Top 10

A01:2025

Broken Access Control

When users can do things they're not supposed to. IDOR, privilege escalation, path traversal, CORS issues. SSRF got merged in here for 2025.

→

A02:2025

Security Misconfiguration

Default passwords left in prod, open S3 buckets, stack traces in error pages, unnecessary services running. Still the most common finding out there.

→

A03:2025 new

Software Supply Chain Failures

Poisoned npm packages, compromised build pipelines, typosquatting. After SolarWinds and the xz backdoor, OWASP gave this its own category.

→

A04:2025

Cryptographic Failures

Passwords stored in plaintext, data sent over HTTP, MD5 still in use somewhere. Anything where sensitive data isn't properly encrypted — in transit or at rest.

→

A05:2025

Injection

SQL injection, XSS, command injection, LDAP, template injection. You take user input and shove it into a query without sanitizing — bad things happen.

→

A06:2025

Insecure Design

Architecture-level problems you can't patch with better code. No rate limiting on password resets, no threat modeling, business logic that's fundamentally flawed.

→

A07:2025

Authentication Failures

Weak password requirements, credential stuffing working because there's no MFA, session tokens that don't expire. The stuff that lets attackers log in as someone else.

→

A08:2025

Data Integrity Failures

Auto-updates without checking signatures, CI/CD pipelines anyone can push to, deserializing untrusted data. When you can't trust that code or data hasn't been tampered with.

→

A09:2025

Security Logging & Alerting Failures

No logs for login attempts, no alerts when someone's brute-forcing your API, no audit trail. Attackers love it when nobody's watching.

→

A10:2025 new

Mishandling of Exceptional Conditions

Stack traces leaking internal paths, error messages revealing database structure, race conditions in failure handlers. When your app breaks, it shouldn't break open.

→