πŸš€ Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney.

OWASP Top 10 Β· 2025 edition

OWASP Top 10 Challenges

Cover every OWASP Top 10:2025 category with hands-on secure coding challenges. Your developers find and fix real vulnerabilities in the language they ship in β€” and you get evidence of capability, not just completion.

Capability, not checkbox compliance

Hands-On Challenges for Every Category

The OWASP Top 10 is the industry benchmark for web application security β€” the list your auditors, customers and security team measure against. The 2025 edition adds Software Supply Chain Failures and Mishandling of Exceptional Conditions, and folds SSRF into Broken Access Control. Pick your language below: every challenge is a real application with a real vulnerability, and every verified fix becomes reportable evidence of secure coding capability.

New to the OWASP Top 10?

OWASP Top 10 β€” the course

Learn each category through a real-world breach β€” from the Capital One SSRF to the Uber logging failure β€” then find the vulnerability in code, trace the exploit, and apply the fix. The fastest way to get a team started before they play the challenges.

Start the Course
The 2025 edition

What the OWASP Top 10 Covers

A01:2025

Broken Access Control

Users acting outside their intended permissions β€” the most common web application risk. The 2025 edition folds Server-Side Request Forgery into this category.

A02:2025

Security Misconfiguration

Insecure default configurations, verbose errors, exposed secrets and unhardened services β€” now the #2 web application risk.

A03:2025

Software Supply Chain Failures

New in 2025: compromises across dependencies, build systems and distribution infrastructure, expanded from Vulnerable and Outdated Components.

A04:2025

Cryptographic Failures

Weak or missing cryptography that exposes sensitive data: predictable randomness, poor key handling, and broken token generation.

A05:2025

Injection

Untrusted data interpreted as code or commands β€” SQL injection, command injection, log injection, XSS and friends.

A06:2025

Insecure Design

Security flaws baked into the design itself: missing rate limits, weak password policies, and logic that can be abused even when implemented "correctly".

A07:2025

Authentication Failures

Broken login, session and token handling that lets attackers assume other users’ identities.

A08:2025

Software or Data Integrity Failures

Code and data accepted without integrity verification: insecure deserialization, prototype pollution, and unsafe update mechanisms.

A09:2025

Security Logging and Alerting Failures

Missing, forgeable or unmonitored logs that let breaches go undetected. Renamed in 2025 to emphasise alerting.

A10:2025

Mishandling of Exceptional Conditions

New in 2025: improper error handling, fail-open logic and unexpected runtime states that attackers can force.

Roll it out

Turn the Standard Into a Training Program

Assign these challenges to your team as learning pathways, track verified fixes, and report OWASP Top 10 coverage to auditors, customers and the board β€” with evidence, not attendance sheets.