OWASP Top 10 2025: A01-A05

The OWASP Top 10 2025 reflects the current threat landscape with significant changes including a new focus on supply chain security. Let's examine the top 5 vulnerabilities you'll be tested on.

A01:2025 - Broken Access Control

Rank: #1 (most critical)

The most prevalent vulnerability in web applications. Occurs when users can act outside their intended permissions.

Common Patterns

Pattern	Description	Example
IDOR	Insecure Direct Object Reference	/api/user/123 accessible without authorization
Privilege Escalation	User gains admin functions	Changing role in hidden form field
Path Traversal	Accessing restricted files	../../etc/passwd
Missing Function Level Access Control	Admin endpoints exposed	/admin/deleteUser no auth check

Interview Code Review

# Vulnerable code - Find the issues
@app.route('/api/documents/<doc_id>')
def get_document(doc_id):
    document = Document.query.get(doc_id)  # Issue 1: No AuthZ check
    return jsonify(document.to_dict())

# Secure version
@app.route('/api/documents/<doc_id>')
@login_required
def get_document(doc_id):
    document = Document.query.get_or_404(doc_id)
    if document.owner_id != current_user.id:  # AuthZ check
        abort(403)
    return jsonify(document.to_dict())

A02:2025 - Security Misconfiguration

Rank: #2 (moved up from #5 in 2021)

Misconfigurations are now more prevalent than ever due to cloud complexity.

Common Misconfigurations

• Default credentials left unchanged
• Unnecessary features enabled
• Error messages revealing stack traces
• Missing security headers
• S3 buckets set to public
• Overly permissive CORS policies

Interview Scenario

Question: "Review this response. What security headers are missing?"

HTTP/1.1 200 OK
Content-Type: text/html
Server: Apache/2.4.41

<html>...

Answer: Missing critical headers:

• Strict-Transport-Security (HSTS)
• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• Content-Security-Policy
• Referrer-Policy (recommended; X-XSS-Protection is deprecated and disabled in modern browsers)

A03:2025 - Software Supply Chain Failures

Rank: #3 (NEW - expanded from Vulnerable Components)

A major 2025 addition reflecting attacks like SolarWinds and Log4Shell.

Attack Vectors

Vector	Description	Example
Dependency Confusion	Internal package names hijacked	Malicious npm package with internal name
Typosquatting	Similar package names	lodash vs 1odash
Compromised Maintainers	Legitimate package updated maliciously	Event-stream incident
Build Pipeline Attacks	CI/CD system compromised	Codecov breach

Defenses

# Example: Lock dependencies and verify integrity
# package-lock.json (npm) or requirements.txt with hashes
dependencies:
  lodash:
    version: "4.17.21"
    integrity: "sha512-v2kDE..."  # Verify hash

Tools: Snyk, Dependabot, OWASP Dependency-Check, npm audit

A04:2025 - Cryptographic Failures

Rank: #4 (was #2 in 2021)

Failures in cryptography that lead to sensitive data exposure.

Common Failures

Failure	Impact	Fix
Weak algorithms	MD5, SHA1 for passwords	Use bcrypt, Argon2
Hardcoded secrets	Keys in source code	Use secrets manager
Missing encryption	Data transmitted in cleartext	TLS 1.3 everywhere
Improper key management	Keys stored with data	HSM, separate key storage

Interview Question

Q: "How would you securely store user passwords?"

Strong Answer:

import bcrypt

def hash_password(password: str) -> bytes:
    # Generate salt and hash in one step
    # bcrypt automatically handles salt storage
    salt = bcrypt.gensalt(rounds=12)  # Cost factor 12
    return bcrypt.hashpw(password.encode(), salt)

def verify_password(password: str, hashed: bytes) -> bool:
    return bcrypt.checkpw(password.encode(), hashed)

Key Points:

• Never use MD5/SHA1 for passwords
• Use adaptive algorithms (bcrypt, Argon2, scrypt)
• Cost factor should take ~100ms to compute

A05:2025 - Injection

Rank: #5 (was #3 in 2021)

Untrusted data sent to an interpreter as part of a command or query.

Injection Types

Type	Target	Example
SQL Injection	Database	' OR '1'='1
Command Injection	OS shell	; rm -rf /
LDAP Injection	Directory services	`)(uid=))(
XSS	Browser	<script>alert(1)</script>

Defense: Parameterized Queries

# VULNERABLE - String concatenation
query = f"SELECT * FROM users WHERE id = {user_id}"

# SECURE - Parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

Interview Reality: You WILL be asked to identify injection vulnerabilities in code. Practice recognizing patterns where user input flows into dangerous sinks.

Next, we'll cover A06-A10 and the OWASP LLM Top 10 for AI security roles. :::