6.2 OWASP Top 10 Overview
Key Takeaways
- The OWASP Top 10 is a community-driven awareness document of the most critical web application security risk categories; CEH expects you to recognize each category and its primary defense.
- The current edition is the OWASP Top 10:2025 (released January 2026), which keeps Broken Access Control at #1, promotes Security Misconfiguration to #2, and adds Software Supply Chain Failures (A03) and Mishandling of Exceptional Conditions (A10).
- In 2025 Server-Side Request Forgery (SSRF), a standalone A10 in 2021, was consolidated into Broken Access Control.
- CEH v13's blueprint historically maps to the OWASP Top 10:2021 list, so candidates should be able to recognize both the 2021 and 2025 categories.
- Broken Access Control and Injection are the highest-yield categories for CEH web questions because they map directly to hands-on attack techniques covered later in this chapter.
What the OWASP Top 10 Is
The Open Worldwide Application Security Project (OWASP) Top 10 is a community-built, periodically updated awareness document that ranks the most critical categories of web application security risk. It is intentionally a list of risk categories, not a vulnerability checklist: clearing the Top 10 reduces risk but does not prove an application is secure. CEH uses it as the conceptual map for the Web Application Hacking domain — you should be able to name each category and its primary defense, and classify a described flaw into the correct bucket.
Which Version to Study
OWASP publishes a new edition every few years, derived from analysis of real-world vulnerability data (the 2025 edition drew on 175,000+ CVEs mapped across 248 CWEs) plus a practitioner survey. The current edition is the OWASP Top 10:2025, announced at OWASP Global AppSec in November 2025 and finalized in January 2026. The previous, long-standing OWASP Top 10:2021 is still widely referenced, and the CEH v13 blueprint was written against the 2021-era categories. The practical exam strategy is to know the 2025 list as current and recognize the 2021 list, since pooled CEH questions may reference either.
OWASP Top 10:2025 (current)
| Code | Category | Core idea & primary defense |
|---|---|---|
| A01:2025 | Broken Access Control | Users act outside intended permissions (now includes SSRF). Defense: deny-by-default, enforce authorization server-side on every request. |
| A02:2025 | Security Misconfiguration | Insecure defaults, verbose errors, unnecessary features. Defense: hardened baselines, minimal surface, automated config review. |
| A03:2025 | Software Supply Chain Failures | Compromise via third-party code, build, or distribution. Defense: dependency inventory (SBOM), pinned/verified components, secure build pipeline. |
| A04:2025 | Cryptographic Failures | Weak or missing protection of data in transit/at rest. Defense: strong vetted algorithms, TLS everywhere, proper key management. |
| A05:2025 | Injection | Untrusted input interpreted as code/commands (includes SQL injection and XSS). Defense: parameterization, context-aware encoding, validation. |
| A06:2025 | Insecure Design | Missing security controls in the design itself. Defense: threat modeling, secure design patterns, abuse-case analysis. |
| A07:2025 | Authentication Failures | Weak login, session, or credential handling. Defense: MFA, strong session management, credential-stuffing protection. |
| A08:2025 | Software or Data Integrity Failures | Code/data trusted without integrity checks (e.g., insecure deserialization, unsigned updates). Defense: signatures, integrity verification, trusted sources. |
| A09:2025 | Security Logging & Alerting Failures | Attacks not detected or escalated. Defense: log security events, monitor, alert, and rehearse response. |
| A10:2025 | Mishandling of Exceptional Conditions | Improper error handling, failing open, logic errors under abnormal conditions. Defense: fail securely (closed), handle errors explicitly, avoid leaking detail. |
OWASP Top 10:2021 (still exam-relevant)
A01 Broken Access Control · A02 Cryptographic Failures · A03 Injection · A04 Insecure Design · A05 Security Misconfiguration · A06 Vulnerable and Outdated Components · A07 Identification and Authentication Failures · A08 Software and Data Integrity Failures · A09 Security Logging and Monitoring Failures · A10 Server-Side Request Forgery (SSRF).
What Changed from 2021 to 2025
Knowing the deltas is high-yield because exam writers test the differences:
- Broken Access Control stays #1 in both editions — authorization flaws remain the most common and impactful.
- Security Misconfiguration jumped from #5 (2021) to #2 (2025), reflecting cloud and default-config sprawl.
- Server-Side Request Forgery (SSRF), a standalone A10 in 2021, was folded into Broken Access Control in 2025.
- Two new/renamed categories appear in 2025: Software Supply Chain Failures (A03) (an expansion of 2021's Vulnerable and Outdated Components) and Mishandling of Exceptional Conditions (A10).
- Several 2021 names were updated (e.g., "Security Logging and Monitoring Failures" → "Security Logging & Alerting Failures").
How CEH Uses the Top 10
CEH does not ask you to memorize the rank order for its own sake. It tests whether you can:
- Classify a described flaw into the right category (e.g., "a user changes an account ID in the URL and sees another customer's data" = Broken Access Control / IDOR).
- Pick the primary defense for that category.
- Recognize that some attacks span categories — for example, both SQL injection and cross-site scripting live under Injection.
The highest-yield categories for CEH are Broken Access Control and Injection, because they correspond directly to the hands-on attack techniques covered in the rest of this chapter.
Worked Classification Examples
The exam phrases questions as scenarios, then asks for the category and the primary defense. Practice the mapping:
- "A standard user reaches an admin-only function by typing its URL directly." → Broken Access Control; defense: deny-by-default authorization checked server-side on every request.
- "A search box reflects user input into the page and a script runs." → Injection (XSS subtype); defense: context-aware output encoding.
- "A third-party library with a known CVE was never updated." → Software Supply Chain Failures / Vulnerable and Outdated Components; defense: dependency inventory (SBOM) and timely patching.
- "Passwords are stored with a fast, unsalted hash." → Cryptographic Failures; defense: salted, slow one-way hashing.
- "The login allows unlimited password guesses with no lockout." → Authentication Failures; defense: MFA plus rate limiting/lockout.
Why It Matters Defensively
The Top 10 gives security teams a shared, prioritized vocabulary. A penetration-test report that says "IDOR — Broken Access Control (A01)" tells developers exactly which control failed and which fix applies, far more usefully than a generic "the app has a bug." CEH leans on this because an ethical hacker's value is not only finding the flaw but classifying it and recommending the right, root-cause remediation so the organization can reduce its real risk.
Which category has remained number one across both the OWASP Top 10:2021 and the OWASP Top 10:2025 editions?
An auditor states that an application 'passes the OWASP Top 10 review, so it is secure.' Why is this reasoning flawed?
In the OWASP Top 10:2025, what happened to Server-Side Request Forgery (SSRF), which was its own category (A10) in 2021?