What is OWASP Top 10 2025?

A refreshed set of the most critical web application security risks, organized into 10 categories, used to classify and prioritize vulnerabilities during assessments.

How do I map findings to CWE using this skill?

For each OWASP category, reference the associated CWE identifiers listed in the mapping (where available) and link to the relevant plugin skill that covers detection patterns.

Which plugin skills correspond to the OWASP 2025 categories?

A01 -> business-logic, A02 -> security-misconfiguration, A04 -> cryptographic-failures, A05/A07/A08 -> vuln-patterns, A06 -> business-logic, A09 -> logging-failures, A10 -> exception-handling. A03 is out of scope per the reference but can be mapped as needed.

OWASP 2025 Mapping

npx machina-cli add skill allsmog/vuln-scout/owasp-2025 --openclaw

Files (1)

SKILL.md

9.5 KB

OWASP Top 10 2025 Reference

Purpose

Provide comprehensive mapping of OWASP Top 10 2025 categories to detection patterns, CWE references, and related plugin skills. This serves as the master reference for vulnerability categorization.

When to Use

Activate this skill when:

Starting a security audit and need to ensure comprehensive coverage
Mapping findings to industry-standard categories
Generating reports with OWASP/CWE references
Understanding which vulnerability classes to prioritize

OWASP Top 10 2025 Overview

Rank	Category	Description	Plugin Coverage
A01	Broken Access Control	Authorization failures, IDOR, privilege escalation	`business-logic` skill
A02	Security Misconfiguration	Default creds, debug mode, missing headers	`security-misconfiguration` skill
A03	Software Supply Chain	Dependency vulns, build pipeline	(Out of scope)
A04	Cryptographic Failures	Weak crypto, hardcoded secrets	`cryptographic-failures` skill
A05	Injection	SQLi, Command, LDAP, XSS	`vuln-patterns` skill
A06	Insecure Design	Business logic flaws, missing controls	`business-logic` skill
A07	Authentication Failures	Auth bypass, session issues, credential stuffing	`vuln-patterns` skill
A08	Data Integrity Failures	Deserialization, CI/CD issues	`vuln-patterns` skill
A09	Logging & Alerting Failures	Log injection, insufficient logging	`logging-failures` skill
A10	Mishandling of Exceptions	XXE, error handling, stack traces	`exception-handling` skill

A01: Broken Access Control

CWEs: CWE-22, CWE-284, CWE-285, CWE-639, CWE-862, CWE-863

Covered by: business-logic skill

Detection Patterns:

# Missing authorization checks
grep -rniE "isAdmin|hasRole|checkPermission|authorize" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# IDOR patterns (direct object references)
grep -rniE "user_id|userId|account_id|order_id" --include="*.go" --include="*.py" --include="*.java" --include="*.ts"

# Privilege escalation
grep -rniE "role.*=|setRole|updateRole|isAdmin.*true" --include="*.go" --include="*.py" --include="*.java"

Key Indicators:

Missing @PreAuthorize, @RequiresPermission annotations
Direct use of user-supplied IDs without ownership verification
Role checks only on frontend, not backend

A02: Security Misconfiguration

CWEs: CWE-16, CWE-209, CWE-215, CWE-548, CWE-756

Covered by: security-misconfiguration skill

Detection Patterns:

# Debug mode enabled
grep -rniE "DEBUG.*=.*[Tt]rue|FLASK_DEBUG|APP_DEBUG|debug.*mode" --include="*.py" --include="*.env" --include="*.yaml" --include="*.json"

# Default credentials
grep -rniE "password.*=.*['\"]admin|pass.*=.*['\"]123|secret.*=.*['\"]test" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Exposed endpoints
grep -rniE "/admin|/debug|/actuator|/swagger|/graphql" --include="*.go" --include="*.py" --include="*.java" --include="*.ts"

A04: Cryptographic Failures

CWEs: CWE-326, CWE-327, CWE-328, CWE-330, CWE-338, CWE-798

Covered by: cryptographic-failures skill

Detection Patterns:

# Weak hash algorithms
grep -rniE "md5|sha1\(|SHA1|MessageDigest.*MD5" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Hardcoded secrets
grep -rniE "api_key.*=.*['\"]|password.*=.*['\"]|secret.*=.*['\"]|token.*=.*['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts"

# Insecure random
grep -rniE "Math\.random|rand\(\)|random\(\)|Random\(\)" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

A05: Injection

CWEs: CWE-77, CWE-78, CWE-79, CWE-89, CWE-90, CWE-91, CWE-94

Covered by: vuln-patterns skill, dangerous-functions skill

Detection Patterns:

# SQL Injection
grep -rniE "execute\(.*\+|query\(.*\+|raw\(.*\+|SELECT.*\+|WHERE.*\+" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Command Injection (see dangerous-functions skill for full list)
grep -rniE "os/exec|subprocess|Runtime\.getRuntime|shell_exec|system\(" --include="*.go" --include="*.py" --include="*.java" --include="*.php"

# XSS - DOM manipulation (see dangerous-functions skill)
grep -rniE "innerHTML|document\.write|\.html\(|v-html" --include="*.ts" --include="*.js" --include="*.jsx" --include="*.tsx" --include="*.vue"

A06: Insecure Design

CWEs: CWE-209, CWE-256, CWE-501, CWE-522, CWE-656

Covered by: business-logic skill, threat-modeling skill

Detection Patterns:

# Missing rate limiting
grep -rniE "login|authenticate|password|reset" --include="*.go" --include="*.py" --include="*.java" | grep -v "rate\|limit\|throttle"

# Trust boundary violations
grep -rniE "trusted|verified|validated" --include="*.go" --include="*.py" --include="*.java"

# State machine issues
grep -rniE "state.*=|status.*=|step.*=" --include="*.go" --include="*.py" --include="*.java"

A07: Authentication Failures

CWEs: CWE-287, CWE-288, CWE-294, CWE-307, CWE-384, CWE-640

Covered by: vuln-patterns skill

Detection Patterns:

# Weak session management
grep -rniE "session\[|Session\.|setSession|getSession" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Password issues
grep -rniE "password.*==|strcmp.*password|password\.equals" --include="*.go" --include="*.py" --include="*.java" --include="*.php"

# JWT issues
grep -rniE "jwt\.decode|verify.*false|algorithm.*none|HS256" --include="*.go" --include="*.py" --include="*.java" --include="*.ts"

A08: Data Integrity Failures

CWEs: CWE-345, CWE-353, CWE-502, CWE-565, CWE-784, CWE-829

Covered by: vuln-patterns skill (deserialization section)

Detection Patterns:

# Unsafe deserialization (see dangerous-functions for full list)
grep -rniE "unserialize|ObjectInputStream|yaml\.load|json\.loads" --include="*.go" --include="*.py" --include="*.java" --include="*.php"

# Missing signature verification
grep -rniE "verify.*false|skipVerification|insecure" --include="*.go" --include="*.py" --include="*.java" --include="*.ts"

A09: Logging & Alerting Failures

CWEs: CWE-117, CWE-223, CWE-532, CWE-778

Covered by: logging-failures skill, sensitive-data-leakage skill

Detection Patterns:

# Log injection
grep -rniE "log\.(info|debug|error|warn).*\+" --include="*.go" --include="*.py" --include="*.java" --include="*.ts"

# Secrets in logs (covered by sensitive-data-leakage)
grep -rniE "log.*(password|secret|token|key|credential)" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

A10: Mishandling of Exceptions

CWEs: CWE-390, CWE-392, CWE-460, CWE-611, CWE-755

Covered by: exception-handling skill

Detection Patterns:

# XXE (XML External Entity)
grep -rniE "XMLParser|DocumentBuilder|SAXParser|xml\.parse|etree\.parse" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Empty catch blocks
grep -rniE "catch.*\{\s*\}|except.*pass|rescue.*end" --include="*.java" --include="*.py" --include="*.rb"

# Stack trace exposure
grep -rniE "printStackTrace|traceback|stack.*trace|\.stack" --include="*.go" --include="*.py" --include="*.java" --include="*.ts"

CWE Quick Reference

CWE	Name	OWASP 2025
CWE-22	Path Traversal	A01
CWE-77	Command Injection	A05
CWE-78	OS Command Injection	A05
CWE-79	XSS	A05
CWE-89	SQL Injection	A05
CWE-117	Log Injection	A09
CWE-209	Error Message Info Disclosure	A02, A10
CWE-284	Improper Access Control	A01
CWE-287	Improper Authentication	A07
CWE-326	Inadequate Encryption Strength	A04
CWE-327	Broken Crypto Algorithm	A04
CWE-330	Insufficient Randomness	A04
CWE-384	Session Fixation	A07
CWE-502	Deserialization of Untrusted Data	A08
CWE-532	Sensitive Info in Logs	A09
CWE-611	XXE	A10
CWE-639	User-Controlled Key	A01
CWE-755	Improper Exception Handling	A10
CWE-778	Insufficient Logging	A09
CWE-798	Hardcoded Credentials	A04
CWE-862	Missing Authorization	A01
CWE-863	Incorrect Authorization	A01

Audit Checklist

When performing a comprehensive audit, ensure coverage of:

A01: Check all endpoints for authorization
A02: Review configuration files, environment variables
A04: Search for hardcoded secrets, weak crypto
A05: Trace user input to SQL, commands, HTML output
A06: Review business logic, state machines
A07: Test authentication flows, session management
A08: Find deserialization points
A09: Check logging for injection, secrets exposure
A10: Find XML parsers, review error handling

Integration with Commands

Command	OWASP Coverage
`/full-audit`	All categories (comprehensive)
`/sinks`	A05 (Injection) primarily
`/threats`	A01, A06, A07 (design-level)
`/scan --tools semgrep`	A02, A04, A05, A08
`/verify`	Confirms A05, A10 findings

Source

git clone https://github.com/allsmog/vuln-scout/blob/main/whitebox-pentest/skills/owasp-2025/SKILL.mdView on GitHub

Overview

Provides a master mapping of OWASP Top 10 2025 categories to detection patterns, CWE references, and related plugin skills. It helps whitebox pentesters align findings with industry-standard categories, generate CWE-informed reports, and prioritize vulnerability classes.

How This Skill Works

The skill links each OWASP 2025 category to CWE identifiers (where applicable) and the plugin skills that cover it (e.g., A01 maps to the business-logic skill). It also includes practical detection patterns and indicators to validate category classification during audits, enabling consistent reporting across engagements.

When to Use It

Starting a security audit to ensure comprehensive coverage across OWASP Top 10 2025 categories.
Mapping findings to industry-standard categories and CWE references.
Generating reports that cite OWASP and CWE mappings and plugin coverage.
Understanding which vulnerability classes to prioritize during pentests.
Cross-referencing findings with deployment context and security controls in whitebox tests.

Quick Start

Step 1: Identify the OWASP Top 10 2025 categories relevant to your scope and map each finding to its category.
Step 2: For each category, attach any CWE references and the corresponding plugin skill that covers detection patterns.
Step 3: Generate a report that cites OWASP categories, CWE references, and plugin mappings to guide remediation.

Best Practices

Use the master mapping as the reference baseline for all findings.
Cross-check each finding against the associated CWE and plugin skill.
Keep the OWASP 2025 coverage up-to-date with the edition changes.
Document triage by category risk and business impact.
Automate report generation with embedded CWE and plugin references where possible.

Example Use Cases

A01 Broken Access Control mapped to CWE-22, CWE-284, CWE-285, CWE-639, CWE-862, CWE-863 with the business-logic plugin.
A02 Security Misconfiguration mapped to CWE-16, CWE-209, CWE-215, CWE-548, CWE-756 using the security-misconfiguration plugin.
A04 Cryptographic Failures mapped to CWE-326, CWE-327, CWE-328, CWE-330, CWE-338, CWE-798 with the cryptographic-failures plugin.
A05 Injection mapped to common injection patterns (SQLi, Command, LDAP, XSS) using the vuln-patterns plugin.
A09 Logging & Alerting Failures mapped to log injection and insufficient logging using the logging-failures plugin.

Frequently Asked Questions

Add this skill to your agents