OWASP Top 10
What it is — The OWASP Top 10 is a standard awareness document for web application security, published by the Open Worldwide Application Security Project (OWASP) . It represents the most critical security risks to web applications, based on broad consensus from security experts worldwide. The current version is OWASP Top 10:2025 .
Appsec relevance — The OWASP Top 10 is entirely focused on web application security. It is the most widely referenced application security standard and is used as a baseline by auditors, procurement teams, and compliance frameworks including PCI DSS.
How Detectify Supports the OWASP Top 10:2025
Detectify includes a built-in OWASP Top 10 pass/fail report view per scan, mapping each finding to its corresponding OWASP Top 10 category.
| OWASP Category | What it covers | Detectify Coverage | Key CWEs | Coverage |
|---|---|---|---|---|
| A01:2025 Broken Access Control | Restrictions on authenticated users are not properly enforced, allowing access to unauthorized functions or data. Now includes SSRF and open redirects | Authentication bypass, authorization flaws, path traversal, CSRF, SSRF, open redirect detection | CWE-284 , CWE-287 , CWE-306 , CWE-352 , CWE-22 , CWE-23 , CWE-918 , CWE-601 | Full |
| A02:2025 Security Misconfiguration | Incorrect security hardening across the application stack, including default configurations, verbose errors, and XML external entity attacks | Default credentials, exposed admin panels, directory listings, verbose error messages, header misconfigurations, XXE detection | CWE-16 , CWE-200 , CWE-548 , CWE-611 | Full |
| A03:2025 Software Supply Chain Failures | Breakdowns in the process of building, distributing, or updating software, including vulnerable or malicious third-party dependencies | Technology fingerprinting via Surface Monitoring, CVE-specific test modules generated by Alfred AI, Crowdsource modules for known component vulnerabilities | Component detection + CVE-specific payload tests | Partial |
| A04:2025 Cryptographic Failures | Failures related to cryptography that lead to exposure of sensitive data or system compromise | Weak encryption detection, cleartext storage and transmission, TLS/SSL configuration testing | CWE-326 , CWE-312 , CWE-319 , CWE-327 | Partial |
| A05:2025 Injection | User-supplied data is sent to an interpreter as part of a command or query, enabling attackers to execute unintended commands | SQL injection, XSS, OS command injection, template injection, code injection, NoSQL injection | CWE-89 , CWE-79 , CWE-78 , CWE-94 , CWE-1336 , CWE-943 | Full |
| A06:2025 Insecure Design | Design and architectural flaws that cannot be fixed by correct implementation, including missing security controls | Detects some consequences of insecure design (e.g. unrestricted file upload, insufficient credential protection) but cannot assess design decisions | CWE-434 , CWE-522 | Partial |
| A07:2025 Authentication Failures | Weaknesses in authentication and session management that allow attackers to compromise credentials or sessions | Session management testing, credential validation, authentication bypass, default credential detection | CWE-287 , CWE-306 , CWE-288 , CWE-798 , CWE-613 | Partial |
| A08:2025 Software or Data Integrity Failures | Code and infrastructure that does not protect against integrity violations, including insecure deserialization | Insecure deserialization detection, integrity verification testing | CWE-502 , CWE-345 | Partial |
| A09:2025 Security Logging and Alerting Failures | Insufficient logging, detection, monitoring, and active response to security events | Not a primary DAST capability — Detectify detects some information leakage via logs but cannot assess logging completeness | CWE-532 | Limited |
| A10:2025 Mishandling of Exceptional Conditions | Improper error handling, logical errors, failing open, and other scenarios stemming from abnormal conditions (new for 2025) | Detects verbose error messages, improper handling of exceptional conditions | CWE-209 , CWE-755 | Partial |
What Detectify Covers
Detectify provides strong coverage across the OWASP Top 10:2025, with full coverage for Broken Access Control (A01), Security Misconfiguration (A02), and Injection (A05). The built-in OWASP Top 10 report view makes it straightforward to assess and demonstrate compliance against this standard.
Key change from 2021: SSRF (previously its own category at A10:2021) is now part of A01:2025 Broken Access Control, where Detectify has 181 SSRF-specific tests. Software Supply Chain Failures (A03:2025) expands the former “Vulnerable and Outdated Components” category to cover the full supply chain — Detectify provides partial coverage through component detection and CVE-specific testing.
Coverage gaps exist for Insecure Design (A06), which requires threat modeling and secure design practices, and Security Logging and Alerting Failures (A09), which requires log management infrastructure.
Complementary Tools You May Need
- Threat modeling tools — For addressing A06:2025 Insecure Design
- SAST — For deeper code-level injection and cryptographic analysis
- Log management and SIEM — For A09:2025 Security Logging and Alerting Failures
- Software composition analysis (SCA) — For comprehensive A03:2025 supply chain coverage beyond runtime detection