OWASP (Open Web Application Security Project) is an open-source foundation providing authoritative resources, tools, and standards for web application security. Founded in 2001, it publishes the OWASP Top 10, a consensus document identifying the most critical security risks to web applications — the 2025 edition analyzed over 175,000 CVE records and input from security practitioners worldwide. The framework extends beyond web apps to include APIs, mobile applications, AI/LLM systems, and modern software architectures. Understanding OWASP isn't just about memorizing vulnerabilities — it's about recognizing that security failures cluster around a few core patterns: trusting user input without validation, mismanaging authentication state, exposing sensitive data, and failing to design security into the application from the start. Modern applications face an expanded threat landscape including supply chain attacks, CI/CD pipeline compromises, and AI-specific risks, making proactive security practices essential rather than optional.
What This Cheat Sheet Covers
This topic spans 19 focused tables and 157 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: OWASP Top 10 Core Risks (2025)
The OWASP Top 10:2025 is the eighth edition of this influential list, introducing two new categories — Software Supply Chain Failures (#3) and Mishandling of Exceptional Conditions (#10) — while consolidating SSRF into Broken Access Control. The 2025 list reflects a shift from pure code vulnerabilities toward systemic risks across the entire software delivery lifecycle.
| Risk | Example | Description |
|---|---|---|
GET /user/123/profile → attacker changes to /user/124/profile | • Most critical risk; 100% of tested applications had some form • occurs when users act outside intended permissions — unauthorized data access, privilege escalation, SSRF (CWE-918 now consolidated here), and CSRF (CWE-352). | |
Default admin credentials still active, unnecessary features enabled | • Moved up from #5 to #2 • affects 100% of tested apps • improperly configured settings, unpatched systems, verbose error messages, or exposed cloud storage — stems from insecure default configurations | |
SolarWinds backdoor in signed update; Shai-Hulud npm worm (2025) | • New category for 2025; highest average exploit/impact scores • encompasses compromised dependencies, tampered CI/CD pipelines, malicious packages, and lack of SBOM — not just vulnerable components but the entire delivery chain. | |
Passwords stored in plaintext, HTTP instead of HTTPS | Insufficient protection of sensitive data (passwords, credit cards, PII) through weak encryption, missing TLS, hardcoded keys, or lack of encryption at rest/in transit — dropped from #2 to #4. | |
SELECT * FROM users WHERE id='$id' with unsanitized id | • Untrusted data sent to an interpreter (SQL, NoSQL, OS, LDAP, template) as part of a command • attacker-controlled input modifies query logic or executes arbitrary commands — fell from #3 to #5. |