Each year, vulnerability statistics tell a familiar story: some issues refuse to fade away, others quietly rise in impact, and a few “solved” problems turn out to be anything but. The 2025 data confirms this pattern once again. Despite years of guidance, tooling, and awareness, many fundamental security weaknesses continue to appear across modern applications.
This analysis is based on our own findings across hundreds of tested applications spanning multiple projects and environments. Rather than starting from predefined categories such as the OWASP Top 10, the vulnerabilities were first identified and analyzed at a more detailed, issue-specific level. This allows us to highlight concrete technical weaknesses as they appear in real-world assessments, without immediately abstracting them into broader classifications.
Only after this detailed analysis are the findings mapped to the new OWASP Top 10 (2025) categories. This approach provides both a practical, ground-level view of recurring security issues and a standardized high-level perspective for comparison and trend analysis. What makes the 2025 results particularly interesting is not only what vulnerabilities were found, but how their relative prevalence continues to shift from year to year.
Broken Access Control Takes the Lead
In our previous year’s analysis, Cross-Site Scripting (XSS) clearly dominated the findings, reinforcing its long-standing reputation as the most common web application vulnerability. In 2025, however, this balance has begun to shift. Based on our own findings — and reflected as well in the OWASP Top 10 (2025) mapping — Broken Access Control has now taken the lead, although only by a narrow margin.
Broken access control issues were identified in 29.9% of the tested applications, making it the most frequently observed vulnerability category in our 2025 dataset. Cross-Site Scripting (XSS) followed closely behind, affecting 27.8% of applications. While XSS is no longer the top issue in our rankings, its prevalence confirms that it remains a deeply embedded and unresolved problem across modern applications.
Denial of Service (DoS) vulnerabilities — categorized under Mishandling of Exceptional Conditions — continue to be a notable concern, particularly those related to resource exhaustion and inadequate handling of unexpected or error conditions. Identified in over one-fifth of the tested applications, these issues are still frequently underestimated or deprioritized, despite their potential to cause significant operational and availability impact when exploited.
Top individual vulnerabilities observed in 2025 in our test data
What stands out here is not just the presence of individual vulnerabilities, but how often basic authorization logic, input handling, and session management continue to fail in applications. Other issues such as SQL injection, remote code execution and insecure deserialization are also still found but with lesser percentage which is of course a good thing.
Security Headers: Still Surprisingly Hard to Get Right
One of the most striking findings from 2025 is the continued struggle with HTTP security headers — particularly Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS). Despite both mechanisms being well established for over a decade, they remain among the most misunderstood and inconsistently implemented security controls.
CSP is a browser-enforced security mechanism that defines which sources of content (such as scripts, styles, images, and frames) are allowed to load and execute in an application. When implemented correctly, it significantly reduces the impact of Cross-Site Scripting (XSS) and other client-side injection attacks. However, almost half of the tested applications (43%) had no CSP header defined at all. An additional 19% had a CSP in place, but one that was overly permissive or fundamentally weak — for example, by allowing `unsafe-inline` or broad wildcard sources. In total, nearly 70% of applications were either missing CSP entirely or using it in a way that provides limited real-world protection.
HSTS, on the other hand, is designed to enforce secure communication by instructing browsers to always use HTTPS when interacting with a domain. This helps prevent protocol downgrade attacks and manipulator-in-the-middle (MiTM) scenarios. Despite its simplicity and effectiveness, 34% of the tested applications were missing the Strict-Transport-Security header.
Taken together, these findings suggest that security headers are still often treated as optional hardening measures rather than essential baseline controls, even though they provide strong protection against well-known and frequently exploited attack classes.
Here is how common miscofigurations and header-related issues are
Many of these issues are low-effort to fix, yet high-impact when exploited. Their persistence points more toward process and ownership gaps than technical difficulty.
OWASP Top 10 (2025) Mapping Based on Our Data
When mapping our findings to the OWASP Top 10 (2025), one category clearly dominates: Security Misconfiguration. This aligns closely with the high number of missing or weak security headers, verbose error handling, insecure defaults, and exposed metadata observed across the tested applications.
Although our issue-level analysis showed Broken Access Control slightly overtaking Cross-Site Scripting (XSS) as the most prevalent individual vulnerability category, the picture changes when the findings are mapped to the OWASP Top 10 (2025). At this level of abstraction, Injection once again ranks above Broken Access Control.
This difference is largely explained by how Broken Access Control is represented in the OWASP Top 10 (2025). In the OWASP classification, access control–related weaknesses such as Cross-Site Request Forgery (CSRF), Server-Side Request Forgery (SSRF), and open redirects are explicitly included under the Broken Access Control category. As a result, a wide range of distinct and technically different issues are aggregated into a single OWASP category.
Injection vulnerabilities and authentication failures therefore continue to appear as major contributors in the OWASP Top 10 view, reinforcing the idea that input handling and identity management remain among the most challenging security problems to address at scale.
How OWASP top 10 would map to our test data
Final thoughts
If there is one takeaway from 2025, it is this: improving application security is less about discovering new attack techniques and more about systematically fixing the basics — correctly, consistently, and everywhere.
In the next blog post, we will take a step back from the numbers and focus on a question that comes up repeatedly in real-world testing and procurement discussions: can you really “test the OWASP Top 10” — and what does that actually mean in practice?
“OWASP Top 10 tested” and “ASVS where applicable” are phrases we hear all the time — but what do they actually mean? In the next post, we unpack why the OWASP Top 10 isn’t a testing methodology, how real-world testing goes far beyond category names like Broken Access Control, and how ASVS should be used in practice. We also explain the difference between ASVS ‘where applicable’ testing and a full ASVS audit — and why methodology matters more than labels.
Miika Rinne
OffSec BU Lead
2NS Cybersecurity
Interested to hear more?