OWASP Top 10:2025 Security Review

<quick_reference>

Quick reference

#	Category	Key risk	Avg incidence
A01	Broken Access Control	Unauthorized data access, privilege escalation, SSRF, CSRF	3.74%
A02	Security Misconfiguration	Default creds, verbose errors, missing hardening, XXE	3.00%
A03	Software Supply Chain Failures	Vulnerable/malicious dependencies, compromised build pipelines	5.72%
A04	Cryptographic Failures	Weak algorithms, hardcoded keys, missing encryption, weak hashing	3.80%
A05	Injection	SQLi, XSS, command injection, LDAP/XPath/EL injection	3.08%
A06	Insecure Design	Missing threat modeling, business logic flaws, insufficient controls	1.86%
A07	Authentication Failures	Credential stuffing, weak passwords, session fixation, missing MFA	2.92%
A08	Software/Data Integrity Failures	Unsigned updates, insecure deserialization, untrusted CDN code	2.75%
A09	Security Logging & Alerting Failures	Missing audit logs, no alerting, log injection, sensitive data in logs	3.91%
A10	Mishandling of Exceptional Conditions	Failing open, info leakage via errors, unchecked return values	2.95%

Severity classification

Use these severity levels when reporting findings:

• Critical: Directly exploitable, leads to full system compromise or mass data breach (e.g., SQLi with no parameterization, hardcoded admin credentials, missing auth on admin endpoints).
• High: Exploitable with moderate effort, significant data exposure or privilege escalation (e.g., IDOR, weak password hashing, SSRF, deserialization of untrusted data).
• Medium: Exploitable under specific conditions, limited impact (e.g., missing CSRF protection, verbose error messages, missing security headers).
• Low: Defense-in-depth issue, minimal direct impact (e.g., missing rate limiting, incomplete logging, suboptimal crypto configuration).

</quick_reference>

Workflows

<phase_1_code_review>

Code review for security

Systematically check the code against each relevant category:

1. Identify the code's surface area — Does it handle auth? User input? File uploads? External data? Crypto? Error responses?
2. Select relevant categories from the table above based on the surface area.
3. Load the reference file for each relevant category and check the code against the "What to look for" section.
4. Report findings grouped by category with severity (Critical/High/Medium/Low), the specific code location, and a concrete fix.

Priority order for review (highest impact first):

• [CRITICAL] Input handling code → A05 (Injection), A01 (Access Control)
• [CRITICAL] Auth/session code → A07 (Authentication), A01 (Access Control)
• [HIGH] Data storage/transmission → A04 (Cryptographic Failures)
• [HIGH] Configuration/deployment → A02 (Security Misconfiguration)
• [HIGH] Dependencies → A03 (Supply Chain)
• [MEDIUM] Error handling → A10 (Exceptional Conditions), A09 (Logging)
• [MEDIUM] Architecture/design → A06 (Insecure Design)
• [MEDIUM] Data integrity → A08 (Integrity Failures) </phase_1_code_review>

<phase_2_audit_checklist>

Security audit checklist

Generate a checklist for a feature or codebase:

1. Read the feature/codebase to understand its scope.
2. For each of the 10 categories, determine if it applies.
3. For applicable categories, load the reference file and produce a checklist of items to verify.
4. Output a markdown checklist grouped by category. </phase_2_audit_checklist>

<phase_3_remediation>

Remediation guidance

When a vulnerability is identified:

1. Classify it into the correct OWASP category.
2. Load the corresponding reference file.
3. Apply the prevention checklist to produce a specific, actionable fix.
4. Provide a code example of the fix when possible. </phase_3_remediation>

Reference files

Load the relevant file when you need detailed guidance for a specific category:

• A01 Broken Access Control — authorization checks, IDOR, CORS, CSRF, path traversal: references/a01-broken-access-control.md
• A02 Security Misconfiguration — hardening, default creds, error messages, headers, XXE: references/a02-security-misconfiguration.md
• A03 Supply Chain Failures — dependency management, SBOM, build pipeline security: references/a03-supply-chain-failures.md
• A04 Cryptographic Failures — encryption, hashing, key management, TLS, PRNG: references/a04-cryptographic-failures.md
• A05 Injection — SQL, XSS, command, ORM, LDAP, template injection: references/a05-injection.md
• A06 Insecure Design — threat modeling, business logic, secure SDLC: references/a06-insecure-design.md
• A07 Authentication Failures — credential stuffing, MFA, session management, password policy: references/a07-authentication-failures.md
• A08 Integrity Failures — deserialization, code signing, untrusted sources, CDN trust: references/a08-integrity-failures.md
• A09 Logging & Alerting — audit trails, log injection, alerting, sensitive data in logs: references/a09-logging-alerting-failures.md
• A10 Exceptional Conditions — error handling, fail-closed, resource cleanup, info leakage: references/a10-exceptional-conditions.md