{
	"id": "b1e48750-f7ec-4eab-8a64-585147f1d9fc",
	"created_at": "2026-04-06T00:12:41.183434Z",
	"updated_at": "2026-04-10T13:11:24.24188Z",
	"deleted_at": null,
	"sha1_hash": "03902b03e213b1da41fc6351925c6c5d02dd6e5a",
	"title": "OWASP Top Ten Web Application Security Risks | OWASP Foundation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 213482,
	"plain_text": "OWASP Top Ten Web Application Security Risks | OWASP\r\nFoundation\r\nArchived: 2026-04-05 20:39:49 UTC\r\nThe most current released version is the OWASP Top Ten 2025.\r\nPrevious versions are available at OWASP Top Ten 2021 and OWASP Top 10 2017 (PDF). Older versiona are\r\navailable in the Github repo.\r\nThe OWASP Top 10 is a standard awareness document for developers and web application security. It represents a\r\nbroad consensus about the most critical security risks to web applications.\r\nGlobally recognized by developers as the first step towards more secure coding.\r\nCompanies should adopt this document and start the process of ensuring that their web applications minimize\r\nthese risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software\r\ndevelopment culture within your organization into one that produces more secure code.\r\nTranslation Efforts\r\nEfforts have been made in numerous languages to translate the OWASP Top 10 - 2025. If you are interested in\r\nhelping, please contact the members of the team for the language you are interested in contributing to, or if you\r\ndon’t see your language listed (neither here nor at github), please email owasp-topten@lists.owasp.org to let us\r\nknow that you want to help and we’ll form a volunteer group for your language.\r\nTop10:2025 Completed Translations:\r\nTranslations in progress - check back soon!\r\nHistoric:\r\nTop10:2021 Completed Translations:\r\nالعربية - ar\r\nes - Español\r\nfr - Français\r\nid - Indonesian\r\nit - Italiano\r\nja - 日本語]\r\npt_BR - Português (Brasil)\r\nzh_CN - 简体中文\r\nhttps://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project\r\nPage 1 of 8\n\nzh_TW - 繁體中文\r\nTop10:2017 Completed Translations:\r\nChinese: OWASP Top 10-2017 - 中文版（PDF)\r\n项目组长：王颉（wangj@owasp.org.cn）\r\n翻译人员：陈亮、王厚奎、王颉、王文君、王晓飞、吴楠、徐瑞祝、夏天泽、杨璐、张剑\r\n钟、赵学文（排名不分先后，按姓氏拼音排列）\r\n审查人员：Rip、包悦忠、李旭勤、杨天识、张家银（排名不分先后，按姓氏拼音排列）\r\n汇编人员：赵学文\r\nFrench: OWASP Top 10 2017 in French (Git/Markdown)\r\nGerman: OWASP Top 10 2017 in German V1.0 (Pdf) (web pages)\r\ncompiled by Christian Dresen, Alexios Fakos, Louisa Frick, Torsten Gigler, Tobias Glemser, Dr. Frank Gut,\r\nDr. Ingo Hanke, Dr. Thomas Herzog, Dr. Markus Koegel, Sebastian Klipper, Jens Liebau, Ralf Reinhardt,\r\nMartin Riedel, Michael Schaefer\r\nHebrew: OWASP Top 10-2017 - Hebrew (PDF)  (PPTX)\r\ntranslated by Eyal Estrin (Twitter: @eyalestrin) and Omer Levi Hevroni (Twitter: @omerlh).\r\nJapanese: OWASP Top 10-2017 - 日本語版 (PDF)\r\ntranslated and reviewed by Akitsugu ITO, Albert Hsieh, Chie TAZAWA, Hideko IGARASHI, Hiroshi\r\nTOKUMARU, Naoto KATSUMI, Riotaro OKADA, Robert DRACEA, Satoru TAKAHASHI, Sen UENO,\r\nShoichi NAKATA, Takanori NAKANOWATARI ,Takanori ANDO, Tomohiro SANAE.\r\nKorean: OWASP Top 10-2017 - 한글 (PDF)  (PPTX)\r\n번역 프로젝트 관리 및 감수 : 박형근(Hyungkeun Park) / 감수(ㄱㄴㄷ순) : 강용석(YongSeok Kang),\r\n박창렴(Park Changryum), 조민재(Johnny Cho) / 편집 및 감수 : 신상원(Shin Sangwon) / 번역(ㄱㄴㄷ\r\n순) : 김영하(Youngha Kim), 박상영(Sangyoung Park), 이민욱(MinWook Lee), 정초아(JUNG CHOAH),\r\n조광렬(CHO KWANG YULL), 최한동(Handong Choi)\r\nPortuguese: OWASP Top 10 2017 - Portuguese (PDF) (ODP)\r\ntranslated by Anabela Nogueira, Carlos Serrão, Guillaume Lopes, João Pinto, João Samouco, Kembolle A.\r\nOliveira, Paulo A. Silva, Ricardo Mourato, Rui Silva, Sérgio Domingues, Tiago Reis, Vítor Magano.\r\nRussian: OWASP Top 10-2017 - на русском языке (PDF)\r\ntranslated and reviewed by JZDLin (@JZDLin), Oleksii Skachkov (@hamster4n), Ivan Kochurkin\r\n(@KvanTTT) and Taras Ivashchenko\r\nSpanish: OWASP Top 10-2017 - Español (PDF)\r\nGerardo Canedo（Gerardo.Canedo@owasp.org - [Twitter: @GerardoMCanedo])\r\nCristian Borghello（Cristian.Borghello@owasp.org - [Twitter: @seguinfo])\r\nTop10:2017 Release Candidate Translation Teams:\r\nAzerbaijanian: Rashad Aliyev (rashad@aliev.info)\r\nChinese RC2:Rip、包悦忠、李旭勤、王颉、王厚奎、吴楠、徐瑞祝、夏天泽、张家银、张剑钟、赵\r\n学文(排名不分先后，按姓氏拼音排列) OWASP Top10 2017 RC2 - Chinese PDF\r\nFrench: Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org.\r\nOthers to be listed.\r\nhttps://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project\r\nPage 2 of 8\n\nTop10:2013 Completed Translations:\r\nArabic: OWASP Top 10 2013 - Arabic PDF\r\nTranslated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah\r\nAlsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI):\r\nking.sabri@gmail.com, Mohammed Aldossary: mohammed.aldossary@owasp.org\r\nChinese 2013：中文版2013 OWASP Top 10 2013 - Chinese (PDF).\r\n项目组长： Rip、王颉， 参与人员： 陈亮、 顾庆林、 胡晓斌、 李建蒙、 王文君、 杨天识、 张在\r\n峰\r\nCzech 2013: OWASP Top 10 2013 - Czech (PDF) OWASP Top 10 2013 - Czech (PPTX)\r\nCSIRT.CZ - CZ.NIC, z.s.p.o. (.cz domain registry): Petr Zavodsky: petr.zavodsky@owasp.org, Vaclav\r\nKlimes, Zuzana Duracinska, Michal Prokop, Edvard Rejthar, Pavel Basta\r\nFrench 2013: OWASP Top 10 2013 - French PDF\r\nLudovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall:\r\ng4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert:\r\njocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy:\r\naline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory\r\nBlanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras:\r\nEtienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes:\r\nantonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire:\r\nnicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau:\r\nantoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain:\r\ngilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr,\r\nMichel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin:\r\naymeric.tabourin@orange.com\r\nGerman 2013: OWASP Top 10 2013 - German PDF\r\ntop10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas\r\nHerzog, Kai Jendrian, Ralf Reinhardt, Michael Schäfer\r\nHebrew 2013: OWASP Top 10 2013 - Hebrew PDF\r\nTranslated by: Or Katz, Eyal Estrin, Oran Yitzhak, Dan Peled, Shay Sivan.\r\nItalian 2013: OWASP Top 10 2013 - Italian PDF\r\nTranslated by: Michele Saporito: m.saporito7@gmail.com, Paolo Perego: thesp0nge@owasp.org, Matteo\r\nMeucci: matteo.meucci@owasp.org, Sara Gallo: sara.gallo@gmail.com, Alessandro Guido:\r\nalex@securityaddicted.com, Mirko Guido Spezie: mirko@dayu.it, Giuseppe Di Cesare:\r\ngiuseppe.dicesare@alice.it, Paco Schiaffella: schiaffella@gmail.com, Gianluca Grasso:\r\ngiandou@gmail.com, Alessio D’Ospina: alessiodos@gmail.com, Loredana Mancini:\r\nloredana.mancini@business-e.it, Alessio Petracca: alessio.petracca@gmail.com, Giuseppe Trotta:\r\ngiutrotta@gmail.com, Simone Onofri: simone.onofri@gmail.com, Francesco Cossu:\r\nhambucker@gmail.com, Marco Lancini: marco.lancini.ml@gmail.com, Stefano Zanero:\r\nzanero@elet.polimi.it, Giovanni Schmid: giovanni.schmid@na.icar.cnr.it, Igor Falcomata’:\r\nkoba@sikurezza.org\r\nhttps://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project\r\nPage 3 of 8\n\nJapanese 2013: OWASP Top 10 2013 - Japanese PDF\r\nTranslated by: Chia-Lung Hsieh: ryusuke.tw(at)gmail.com, Reviewed by: Hiroshi Tokumaru, Takanori\r\nNakanowatari\r\nKorean 2013: OWASP Top 10 2013 - Korean PDF (이름가나다순)\r\n김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정\r\n훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보\r\n영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상\r\n민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍\r\n순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com\r\nBrazilian Portuguese 2013: OWASP Top 10 2013 - Brazilian Portuguese PDF\r\nTranslated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da\r\nSilva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula\r\nAssumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte\r\nSpanish 2013: OWASP Top 10 2013 - Spanish PDF\r\nGerardo Canedo: gerardo.canedo@owasp.org, Jorge Correa: jacorream@gmail.com, Fabien Spychiger:\r\nfabien.spychiger@dreamlab.net, Alberto Hill: alberto.daniel.hill@gmail.com, Johnatan Stanley:\r\njohnatanst@gmail.com, Maximiliano Alonzo: malonzo@tib.com.uy, Mateo Martinez:\r\nmateo.martinez@owasp.org, David Montero: david.montero@owasp.org, Rodrigo Martinez:\r\nrodmart@fing.edu.uy, Guillermo Skrilec: guillermo.skrilec@owasp.org, Felipe Zipitria:\r\nfelipe.zipitria@owasp.org, Fabien Spychiger: fabien.spychiger@dreamlab.net, Rafael Gil:\r\nrafael.gillarios@owasp.org, Christian Lopez: christian.lopez.martin@owasp.org, jonathan fernandez\r\njonathan.fernandez04@gmail.com, Paola Rodriguez: Paola_R1@verifone.com, Hector Aguirre:\r\nhector.antonio.aguirre@owasp.org, Roger Carhuatocto: rcarhuatocto@intix.info, Juan Carlos Calderon:\r\njohnccr@yahoo.com, Marc Rivero López: mriverolopez@gmail.com, Carlos Allendes:\r\ncarlos.allendes@owasp.org, daniel@carrero.cl: daniel@carrero.cl, Manuel Ramírez:\r\nmanuel.ramirez.s@gmail.com, Marco Miranda: marco.miranda@owasp.org, Mauricio D. Papaleo Mayada:\r\nmpapaleo@gmail.com, Felipe Sanchez: felipe.sanchez@peritajesinformaticos.cl, Juan Manuel\r\nBahamonde: juanmanuel.bahamonde@gmail.com, Adrià Massanet: adriamassanet@gmail.com, Jorge\r\nCorrea: jacorream@gmail.com, Ramiro Pulgar: ramiro.pulgar@owasp.org, German Alonso Suárez\r\nGuerrero: german.suarez@owasp.org, Jose A. Guasch: jaguasch@gmail.com, Edgar Salazar:\r\nedgar.salazar@owasp.org\r\nUkrainian 2013: OWASP Top 10 2013 - Ukrainian PDF\r\nKateryna Ovechenko, Yuriy Fedko, Gleb Paharenko, Yevgeniya Maskayeva, Sergiy Shabashkevich,\r\nBohdan Serednytsky\r\n2010 Completed Translations:\r\nKorean 2010: OWASP Top 10 2010 - Korean PDF\r\nHyungkeun Park, (mirrk1@gmail.com)\r\nSpanish 2010: OWASP Top 10 2010 - Spanish PDF\r\nDaniel Cabezas Molina, Edgar Sanchez, Juan Carlos Calderon, Jose Antonio Guasch, Paulo Coronado,\r\nRodrigo Marcos, Vicente Aguilera\r\nhttps://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project\r\nPage 4 of 8\n\nFrench 2010: OWASP Top 10 2010 - French PDF\r\nludovic.petit@owasp.org, sebastien.gioria@owasp.org, antonio.fontes@owasp.org,\r\nbenoit.guerette@owasp.org, Jocelyn.aubert@owasp.org, Eric.Garreau@gemalto.com,\r\nGuillaume.Huysmans@gemalto.com\r\nGerman 2010: OWASP Top 10 2010 - German PDF\r\ntop10@owasp.de which is Frank Dölitzscher, Tobias Glemser, Dr. Ingo Hanke, Kai Jendrian, Ralf\r\nReinhardt, Michael Schäfer\r\nIndonesian 2010: OWASP Top 10 2010 - Indonesian PDF\r\nTedi Heriyanto (coordinator), Lathifah Arief, Tri A Sundara, Zaki Akhmad\r\nItalian 2010: OWASP Top 10 2010 - Italian PDF\r\nSimone Onofri, Paolo Perego, Massimo Biagiotti, Edoardo Viscosi, Salvatore Fiorillo, Roberto Battistoni,\r\nLoredana Mancini, Michele Nesta, Paco Schiaffella, Lucilla Mancini, Gerardo Di Giacomo, Valentino\r\nSquilloni\r\nJapanese 2010: OWASP Top 10 2010 - Japanese PDF\r\ncecil.su@owasp.org, Dr. Masayuki Hisada, Yoshimasa Kawamoto, Ryusuke Sakamoto, Keisuke Seki, Shin\r\nUmemoto, Takashi Arima\r\nChinese 2010: OWASP Top 10 2010 - Chinese PDF\r\n感谢以下为中文版本做出贡献的翻译人员和审核人员: Rip Torn, 钟卫林, 高雯, 王颉, 于振东\r\nVietnamese 2010: OWASP Top 10 2010 - Vietnamese PDF\r\nTranslation lead by Cecil Su - Translation Team: Dang Hoang Vu, Nguyen Ba Tien, Nguyen Tang Hung,\r\nLuong Dieu Phuong, Huynh Thien Tam\r\nHebrew 2010: OWASP Top 10 Hebrew Project – OWASP Top 10 2010 - Hebrew PDF.\r\nLead by Or Katz, see translation page for list of contributors.\r\nThe OWASP Top 10:2021 is sponsored by Secure Code Warrior.\r\nSecure Code Warrior\r\nThe OWASP Top 10 - 2017 project was sponsored by Autodesk, and supported by the OWASP NoVA Chapter.\r\nAutodesk\r\nThanks to Aspect Security for sponsoring earlier versions.\r\nOWASP Top 10 2025 Data Analysis Plan\r\nGoals\r\nTo collect the most comprehensive dataset related to identified application vulnerabilities to-date to enable\r\nanalysis for the Top 10 and other future research as well. This data should come from a variety of sources; security\r\nvendors and consultancies, bug bounties, along with company/organizational contributions. Data will be\r\nnormalized to allow for level comparison between Human assisted Tooling and Tooling assisted Humans.\r\nhttps://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project\r\nPage 5 of 8\n\nAnalysis Infrastructure\r\nPlan to leverage the OWASP Azure Cloud Infrastructure to collect, analyze, and store the data contributed.\r\nContributions\r\nWe plan to support both known and pseudo-anonymous contributions. The preference is for contributions to be\r\nknown; this immensely helps with the validation/quality/confidence of the data submitted. If the submitter prefers\r\nto have their data stored anonymously and even go as far as submitting the data anonymously, then it will have to\r\nbe classified as “unverified” vs. “verified”.\r\nVerified Data Contribution\r\nScenario 1: The submitter is known and has agreed to be identified as a contributing party.\r\nScenario 2: The submitter is known but would rather not be publicly identified.\r\nScenario 3: The submitter is known but does not want it recorded in the dataset.\r\nUnverified Data Contribution\r\nScenario 4: The submitter is anonymous. (Should we support?)\r\nThe analysis of the data will be conducted with a careful distinction when the unverified data is part of the dataset\r\nthat was analyzed.\r\nContribution Process\r\nThere are a few ways that data can be contributed:\r\n1. Email a CSV/Excel file with the dataset(s) to brian.glas@owasp.org\r\n2. Upload a CSV/Excel file to https://bit.ly/OWASPTop10Data\r\nTemplate examples can be found in GitHub: https://github.com/OWASP/Top10/tree/master/2025/Data\r\nContribution Period\r\nWe plan to accept contributions to the new Top 10 until July 31, 2025, for data dating from 2021 to 2024.\r\nData Structure\r\nThe following data elements are required or optional.\r\nThe more information provided the more accurate our analysis can be.\r\nAt a bare minimum, we need the time period, total number of applications tested in the dataset, and the list of\r\nCWEs and counts of how many applications contained that CWE.\r\nIf at all possible, please provide the additional metadata, because that will greatly help us gain more insights into\r\nthe current state of testing and vulnerabilities.\r\nhttps://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project\r\nPage 6 of 8\n\nMetadata\r\nContributor Name (org or anon)\r\nContributor Contact Email\r\nTime period (2024, 2023, 2022, 2021)\r\nNumber of applications tested\r\nType of testing (TaH, HaT, Tools)\r\nPrimary Language (code)\r\nGeographic Region (Global, North America, EU, Asia, other)\r\nPrimary Industry (Multiple, Financial, Industrial, Software, ??)\r\nWhether or not data contains retests or the same applications multiple times (T/F)\r\nCWE Data\r\nA list of CWEs w/ count of applications found to contain that CWE\r\nIf at all possible, please provide core CWEs in the data, not CWE categories.\r\nThis will help with the analysis, any normalization/aggregation done as a part of this analysis will be well\r\ndocumented.\r\nNote:\r\nIf a contributor has two types of datasets, one from HaT and one from TaH sources, then it is recommended to\r\nsubmit them as two separate datasets.\r\nHaT = Human assisted Tools (higher volume/frequency, primarily from tooling)\r\nTaH = Tool assisted Human (lower volume/frequency, primarily from human testing)\r\nSurvey\r\nSimilarly to the Top Ten 2021, we plan to conduct a survey to identify up to two categories of the Top Ten that the\r\ncommunity believes are important, but may not be reflected in the data yet. We plan to conduct the survey in early\r\n2025, and will be utilizing Google forms in a similar manner as last time. The CWEs on the survey will come\r\nfrom current trending findings, CWEs that are outside the Top Ten in data, and other potential sources.\r\nProcess\r\nAt a high level, we plan to perform a level of data normalization; however, we will keep a version of the raw data\r\ncontributed for future analysis. We will analyze the CWE distribution of the datasets and potentially reclassify\r\nsome CWEs to consolidate them into larger buckets. We will carefully document all normalization actions taken\r\nso it is clear what has been done.\r\nWe plan to calculate likelihood following the model we continued in 2021 to determine incidence rate instead of\r\nfrequency to rate how likely a given app may contain at least one instance of a CWE. This means we aren’t\r\nlooking for the frequency rate (number of findings) in an app, rather, we are looking for the number of\r\nhttps://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project\r\nPage 7 of 8\n\napplications that had one or more instances of a CWE. We can calculate the incidence rate based on the total\r\nnumber of applications tested in the dataset compared to how many applications each CWE was found in.\r\nIn addition, we will be developing base CWSS scores for the top 20-30 CWEs and include potential impact into\r\nthe Top 10 weighting.\r\nAlso, would like to explore additional insights that could be gleaned from the contributed dataset to see what else\r\ncan be learned that could be of use to the security and development communities.\r\nSource: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project\r\nhttps://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project"
	],
	"report_names": [
		"Category:OWASP_Top_Ten_Project"
	],
	"threat_actors": [],
	"ts_created_at": 1775434361,
	"ts_updated_at": 1775826684,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/03902b03e213b1da41fc6351925c6c5d02dd6e5a.pdf",
		"text": "https://archive.orkl.eu/03902b03e213b1da41fc6351925c6c5d02dd6e5a.txt",
		"img": "https://archive.orkl.eu/03902b03e213b1da41fc6351925c6c5d02dd6e5a.jpg"
	}
}