Skip to content
← All posts

Web Security

OWASP Top 10 2025 | What Changed and Why It Matters

Analysis of the new OWASP Top 10 categories, focused on BOLA, SSRF and Software Supply Chain. Field notes from a team that runs pentests every week.

by SPECTROSEC Team 7 min Est. read
OWASP Web Pentest Methodology

The OWASP Top 10 is the reference framework for web application security. The 2025 revision introduces meaningful shifts from the 2021 edition | new categories, re-ranked priorities and explicit coverage of API-first scenarios.

This is an operational read, not a copy of the official docs. Here we share what we've actually seen on 800+ SPECTROSEC engagements.

What's new

A01:2025 | Broken Access Control

Stays at #1. 93% of SPECTROSEC pentests find at least one finding in this category. The common patterns in 2026:

  • BOLA (Broken Object Level Authorization) on REST APIs | /api/users/123/orders where 123 is trivially manipulable
  • Tenant isolation broken in B2B multi-tenant SaaS
  • JWT with client-side claims manipulation (role: userrole: admin)

A02:2025 | Cryptographic Failures

Emphasis shift: less "weak TLS" (everyone's on TLS 1.3 now), more "sensitive data at rest":

  • Unencrypted databases
  • Hardcoded keys in binaries
  • Tokens printed in structured logs

A10:2025 | Server-Side Request Forgery (SSRF)

Promoted to a dedicated category. Critical in cloud environments where SSRF chains into IMDS (Instance Metadata Service) to steal temporary IAM credentials.

What we test in a SPECTROSEC assessment

For every category we keep an operational checklist with tools and payloads:

Category               Primary tools               Quick win
---------              ---------------             ---------
Broken Access Ctrl    Burp + Autorize              ID substitution
SQL Injection         sqlmap, Burp Intruder        Time-based payload
XSS                   XSStrike, Burp               Polyglot payload
SSRF                  SSRFmap, Burp Collaborator   Blind SSRF out-of-band
Supply Chain          OSV-Scanner, Syft            CVEs in dependencies

Why compliance isn't enough

Passing an OWASP audit doesn't mean you're secure. Real attackers don't follow a checklist | they chain 3-4 "medium" vulnerabilities into "critical" access.

In our most recent engagement we chained: IDOR → JWT manipulation → SSRF → IMDS → full cloud takeover. Each finding scored CVSS 5-6. The chain scored CVSS 10.

The value of a SPECTROSEC pentest is not finding 10 isolated bugs. It's showing how 3 of them become an incident report.

Next step

If you run a web application or API in production, an OWASP Top 10 assessment takes 5-10 business days, starting at €2,500. The report includes:

  • Findings ranked by CVSS 3.1
  • Proof of concept with screenshots and payloads
  • Remediation guide prioritized by business impact
  • 90-day retest guarantee

Request an assessment →