OWASP Mapping
This page cross-references the Application Attack Matrix to the OWASP Top 10:2025, the foundational OWASP Top 10 standard awareness document for web application security risks.
Use it as a lookup table when you already know an OWASP risk ID and want to navigate to the corresponding matrix techniques, or vice versa.
About OWASP Top 10:2025
The OWASP Top 10:2025 is the latest release of OWASP's flagship awareness document for web application security, succeeding OWASP Top 10:2021. It introduces two new categories (Software Supply Chain Failures and Mishandling of Exceptional Conditions) and consolidates Server-Side Request Forgery (SSRF) into Broken Access Control. The methodology and full per-category data are published at owasp.org/Top10/2025/.
Per-category mapping (OWASP Top 10:2025 → Matrix techniques)
A01:2025, Broken Access Control
"100% of the applications tested were found to have some form of broken access control... This category has the highest number of occurrences in the contributed data, and second highest number of related CVEs.", OWASP A01:2025
A01:2025 covers privilege bypass, IDOR, force-browsing, JWT/cookie tampering, CORS misconfiguration, and (new in 2025) Server-Side Request Forgery (CWE-918) and Cross-Site Request Forgery (CWE-352).
| Matrix technique | Tactic |
|---|---|
| Authentication Bypass (incl. OAuth Flow Manipulation, SQL Injection) | Gain Access |
| Service Standard API | Gain Access |
| Valid Accounts | Gain Access |
| Arbitrary File Write Exploitation | Payload Execution |
| Request Forgery (incl. CSRF, SSRF) | Payload Execution |
| Exploitation for Privilege Escalation (incl. Capabilities Abuse, Symlink Attack) | Deepening Control |
| API Misconfiguration Exploitation | Expanding Control |
| Internal Data Harvesting | Expanding Control |
| Service-to-Service Trust Abuse (incl. Overprivileged Service Account Exploitation, Token Replay or Reuse Attacks) | Expanding Control |
| Data Destruction (incl. Backup Destruction or Tampering, Data Corruption via Overwriting, File or Database Record Deletion) | Impact |
| Data Exfiltration | Impact |
| Data Manipulation (incl. Runtime Data Manipulation) | Impact |
| Defacement (incl. Replacement, Website Content) | Impact |
| System Shutdown and Reboot | Impact |
A02:2025, Security Misconfiguration
"100% of the applications tested were found to have some form of misconfiguration... With more shifts into highly configurable software, it's not surprising to see this category moving up.", OWASP A02:2025
A02:2025 covers default accounts left enabled, exposed admin interfaces, overly verbose error pages, missing security headers, unhardened cloud storage, and XML External Entity (CWE-611) processing, formerly its own 2017 category.
| Matrix technique | Tactic |
|---|---|
| Fuzzing API Endpoints, Schema Extraction | Reconnaissance |
| Gather Application Configuration Information (incl. Feature Flag Discovery, Fingerprinting) | Reconnaissance |
| Public Source Code and Artifacts Analysis (incl. Public Repository Discovery) | Reconnaissance |
| Acquisition of Stolen Keys & Credentials | Resource Development |
| External Remote Services (incl. Exposed Gateway, Exposed Kubernetes API, SSH Access, Unauthenticated Administration Interfaces) | Gain Access |
| Protocol Exploitation (Content Injection) | Gain Access |
| Cloud Accounts, Default Accounts | Gain Access |
| XXE Injection | Payload Execution |
| Capabilities Abuse, SUID and GUID Abuse | Deepening Control |
| Configuration Tampering | Deepening Control |
| Cloud Service Discovery (incl. API-based Resource Listing, Open-source discovery tools) | Expanding Control |
| Exploitation of Remote Services (incl. API Misconfiguration Exploitation) | Expanding Control |
| Resource Hijacking (incl. Bandwidth Hijacking, Compute Hijacking, Cryptomining) | Impact |
A03:2025, Software Supply Chain Failures
"This was top-ranked in the Top 10 community survey with exactly 50% of respondents ranking it #1... [the risk] has grown in scope to include all supply chain failures, not just ones involving known vulnerabilities.", OWASP A03:2025
A03:2025 is a new-for-2025 category that subsumes 2021's Vulnerable and Outdated Components. It covers vulnerable transitive dependencies, untrusted package sources, unhardened CI/CD pipelines, and full SBOM hygiene. OWASP explicitly cites the Shai-Hulud npm worm (CISA, Sep 2025) and the Bybit supply chain incident (Feb 2025) as canonical examples.
A04:2025, Cryptographic Failures
"Failures related to cryptography... often leads to sensitive data exposure or system compromise.", OWASP A04:2025
A04:2025 covers cleartext transmission, weak/broken algorithms, hard-coded keys, missing certificate validation, and inadequate key management.
| Matrix technique | Tactic |
|---|---|
| Traffic Sniffing | Reconnaissance |
| Protocol Analysis | Reconnaissance |
| Public Source Code and Artifacts Analysis | Reconnaissance |
| Content Injection (incl. Man-in-the-Middle Injection, Man-on-the-Side Injection, Protocol Exploitation) | Gain Access |
| Exploitation for Credential Access (incl. Stealing Tokens, Memory Exploitation for Credential Extraction) | Expanding Control |
| Data Exfiltration | Impact |
| Transmitted Data Manipulation | Impact |
A05:2025, Injection
"Injection is one of the most tested categories with 100% of applications tested for some form of injection. It had the greatest number of CVEs for any category.", OWASP A05:2025
A05:2025 covers SQL, NoSQL, OS command, LDAP, XPath, ORM, expression-language injections and Cross-site Scripting (CWE-79). OWASP explicitly notes that prompt injection (LLM01) is a related class covered separately by the OWASP LLM Top 10, see the companion Agentic Application Attack Matrix for LLM-specific coverage.
| Matrix technique | Tactic |
|---|---|
| SQL Injection (Authentication Bypass) | Gain Access |
| Content Injection | Gain Access |
| AI Infrastructure Exploitation | Payload Execution |
| Injection Exploitations (incl. OS command Injection, SQL Injection, NoSQL Injection, LDAP Injection, XML Injection, XXE Injection, OGNL Injection, CRLF Injection, Template Injection, Expression Language Injection, Arbitrary File Write Exploitation) | Payload Execution |
| Remote Code Execution Exploitation (incl. Dynamic Code Evaluation) | Payload Execution |
| JNDI Injection | Payload Execution |
| Injection (Defense Evasion) | Deepening Control |
| SQL Stored Procedures, Web Shell | Deepening Control |
A06:2025, Insecure Design
"An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks.", OWASP A04:2021 / A06:2025
A06:2025 covers missing threat modeling, business-logic flaws, lack of segmentation, and unrestricted abuse of intended functionality.
| Matrix technique | Tactic |
|---|---|
| Execution Using Standard Applicative Flow | Payload Execution |
| Service-to-Service Trust Abuse (incl. Overprivileged Service Account Exploitation) | Expanding Control |
| Business Logic Manipulation | Impact |
| Lifecycle-Triggered Deletion | Impact |
| Financial Theft | Impact |
| Resource Hijacking | Impact |
| Service Disruption | Impact |
A07:2025, Authentication Failures
"Previously known as A07:2021-Identification and Authentication Failures, this category continues at #7.", OWASP A07:2025
A07:2025 covers credential stuffing, brute force, weak password recovery, insecure session management, missing MFA, and broken OAuth flows.
| Matrix technique | Tactic |
|---|---|
| Acquisition of Stolen Keys & Credentials | Resource Development |
| Authentication Bypass (incl. OAuth Flow Manipulation, Password Brute Forcing, Race Condition Exploitation, SQL Injection) | Gain Access |
| External Remote Services (incl. SSH Access, Unauthenticated Administration Interfaces) | Gain Access |
| Valid Accounts (incl. Cloud Accounts, Default Accounts, Valid Tokens) | Gain Access |
| Exploitation for Credential Access (incl. Stealing Tokens) | Expanding Control |
| Token Replay or Reuse Attacks | Expanding Control |
A08:2025, Software or Data Integrity Failures
"This category is focused on the failure to maintain trust boundaries and verify the integrity of software, code, and data artifacts... Notable CWEs include CWE-829: Inclusion of Functionality from Untrusted Control Sphere... and CWE-502: Deserialization of Untrusted Data.", OWASP A08:2025
A08:2025 covers unsigned updates, untrusted CDN/plugin inclusion, insecure deserialization (CWE-502), and tampering with CI/CD-produced artifacts.
| Matrix technique | Tactic |
|---|---|
| Compromised Code Signing and Build Infrastructure (incl. Build Pipeline Manipulation, Build Script Tampering) | Resource Development |
| Third-Party Dependency Poisoning (incl. Backdoored Open-Source Libraries) | Resource Development |
| Supply Chain Compromise (incl. Build Environment Poisoning, Container Registry Poisoning, Software Update Manipulation) | Gain Access |
| Remote Code Execution Exploitation (incl. Insecure Deserialization Exploitation) | Payload Execution |
| Serialized Data External Linking, JNDI Injection | Payload Execution |
| Hijacking (Defense Evasion), Reflective Code Loading, Shared Library | Deepening Control |
| Server Software Component (incl. SQL Stored Procedures, Web Shell) | Deepening Control |
| Implant Internal Image | Deepening Control |
| Data Manipulation (incl. Runtime Data Manipulation) | Impact |
| Data Corruption via Overwriting | Impact |
A09:2025, Security Logging and Alerting Failures
"Slight name change (previously Security Logging and Monitoring Failures) to emphasize the importance of alerting functionality.", OWASP A09:2025
A09:2025 covers missing audit logs, unmonitored authentication events, log injection, and absent / delayed alerting on suspicious activity.
| Matrix technique | Tactic |
|---|---|
| Disable Runtime Protection Service (incl. Service Termination) | Deepening Control |
A10:2025, Mishandling of Exceptional Conditions
"Mishandling of Exceptional Conditions is a new category for 2025. This category contains 24 CWEs and focuses on improper error handling, logical errors, failing open, and other related scenarios stemming from abnormal conditions.", OWASP A10:2025
A10:2025 is a new-for-2025 category covering race conditions, fail-open patterns, uncaught exceptions, resource exhaustion via mishandled errors, and information disclosure via stack traces.
| Matrix technique | Tactic |
|---|---|
| Race Condition Exploitation (Authentication Bypass) | Gain Access |
| TOCTOU | Deepening Control |
| Service Disruption (incl. Denial of Service (DoS) Attacks, Resource Starvation, Traffic Flooding, System Shutdown and Reboot) | Impact |
Techniques outside OWASP Top 10:2025 scope
The OWASP Top 10 catalogs application-risk classes (vulnerability categories
in apps). Several matrix techniques describe pure adversary tradecraft, reconnaissance, command-and-control, masquerading, scheduling for persistence,
defense evasion, which are out of scope for an application-risk taxonomy.
These pages explicitly state OWASP Mapping: N/A, outside OWASP Top 10:2025
web application risk scope (adversary tradecraft) so the mapping status is
unambiguous to reviewers.
Examples include C2 over App-Protocols, Masquerading, Scheduled Task, Develop Capabilities, and Obtain Capabilities.
References
- OWASP Top 10:2025 (full release)
- OWASP Top 10:2025 Introduction & methodology, explains what changed from 2021 and how categories were computed.
- OWASP Top 10:2021 (previous version), still widely cited; closest 2021 IDs for each 2025 category are documented in the OWASP introduction.
- OWASP Top 10 main project page, links to translations and prior editions.
- OWASP LLM Top 10, companion taxonomy for LLM-backed apps; see the Agentic Application Attack Matrix for matrix coverage.