Open
Conversation
Updated the dates
updated data collection date
*warning* Version 1.0.0 of this plugin brings breaking changes to the configuration format, e.g. mkdocs.yml file see https://pypi.org/project/mkdocs-static-i18n/1.0.0/
…ements.txt: requirements.txt: limit mkdocs-static-i18n version from 0.40 to 0.56
to manage the versions of the required Python libraries for mkdocs
…ctor Python venv and update config for site language selector
see https://owasp.org/www-project-open-security-information-base/ It provides a central management of links in MkDocs documents. This includes the versioning of links inside a project, standard or a group of documents and to external sources.
Add OWASP Open Security Information Base (OSIB) to manage links
Add German Version of Top 10:2021 from Repository https://github.com/sub0Kelvin/Top10Translation
his update addresses an issue with the Google Groups link in the OWASP Markdown file. The previous entry was a placeholder, and I have replaced it with a potential link to the OWASP Google Groups page. However, the accuracy of this link needs to be verified. A comment has been added to guide future contributors to update the link if it is found to be incorrect. This change ensures that the document is more informative and actionable for users seeking to connect with OWASP's Google Groups.
* Añadiendo traducción al español de OWASP Top 10 2021 * Agregada la traducción en español a mkdocs.yml --------- Co-authored-by: yesid.pinto <pinto_1110@hotmail.com>
* Remove Logo of Prior Sponsor * Remove 2017 RC1 Column Rename "2017 RC2" to "2017" Resize all other columns including 2017. * Rename Folder and File to 2021 * Insert 2021 Column Release Candidate (RC) * QA 2021 Column * Delete "T10" Redundancy * Replace @cmlh Email Address * Insert RC1 Watermark * Fix Color of CRSF 2017 Cell "Change the colour of 2017 CSRF from Green to Red." to quote @colecornford within #674 (comment) * Rename "Vulnerable and Outdated Components" "^25 uses the same name as 2017 despite the category being renamed to "Vulnerable and Outdated Components"" to quote @colecornford within #674 (comment) * Fix "Identification and Authentication Failures" "^22 A7 is now "Identification and Authentication Failures" not Access" to quote @colecornford within #674 (comment) Co-Authored-By: Cole Cornford <cole.cornford@gmail.com> * Bump RC2 Thanks @colecornford for #674 (comment) Co-Authored-By: Cole Cornford <cole.cornford@gmail.com> * Insert Sponsor Artwork * Insert @colecornford Credit * Fix Wingdings Cross i.e. "x" * Bump RC Version * Recreate PDF * Added A11 (Next Steps) to Comparison of 2003-2021 Releases * Split A11 (Next Steps) into three major issues and incremented RC number * Enhancement: Reordered 2021 column such that it reads 1-11 * QA Review of Comparison Document (2003-2021) * QA Laura Dominguez * Modify to mailto: Links * Remove Watermark * Recreate PDF --------- Co-authored-by: Cole Cornford <cole.cornford@gmail.com> Co-authored-by: Peter Funnell <peter@localhost.localdomain> Co-authored-by: Peter Funnell <hello@octetsplicer.com>
Just adding the CWE-259, because it was mentioned on overview as notable, but it's missing from Mapped CWE list.
Hi While delivering a training, a student pointed out an improvement to the description of the A9 issue.
* fix conflict A03_2021-Injection.id.md * Update A03_2021-Injection.id.md
Fix bullet point level.
* Fixed domain for Twitter, since it was broken link * Fixed Twitter.com domain
Duplicated text in the description section of A03:2021 – Injection (Brazilian Portuguese)
- Remove redundant "If" prefix from vulnerability list items - Add OSV (Open Source Vulnerabilities) reference - Update Bybit link to sygnia.co investigation - Replace GlassWorm scenario with Shai-Hulud npm worm - Replace IoT example with Log4Shell CVE - Improve wording throughout (SBOM, dependencies, etc.) - Fix CWE-477 to CWE-447 Rebased from PR #818 by ramimac after 2025 reorganization. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Expand the untrusted components bullet to cover any part of the tech stack that can impact production, not just components downloaded by specific roles. Rebased from PR #821 by gavjl after 2025 reorganization. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add OWASP Dependency Track to the list of tools for continuously inventorying component versions, alongside existing Dependency Check and retire.js references. Rebased from PRs #844 and #845 by wurstbrot after 2025 reorganization. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix wording: "applications tested were found to have" (clearer) - Merge description paragraphs for better flow - Remove redundant bullets about permission complexity and edge cases - Improve elevation of privilege description - Simplify JWT recommendation (add refresh tokens mention) - Remove duplicate threat modeling bullet (covered elsewhere) Rebased from PR #819 by gavjl after 2025 reorganization. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Reword injection vulnerability definition for clarity - Fix typo: "combinatinon" → "combination" Rebased from PR #822 by gavjl after 2025 reorganization. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update TLS requirements: >= TLS 1.2, drop CBC, add quantum key exchange - Add yescrypt to password hashing recommendations - Strengthen PQC guidance with 2030 deadline - Update protocol guidance (avoid STARTTLS, SMTP for confidential data) - Simplify randomness bullet point - Remove deprecated PKCS 1 v1.5 padding question (covered in deprecation list) - Fix CWE count (three, not four) Rebased from PR #850 by drwetter after 2025 reorganization. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
A03 feedback: improve wording, add OSV, update examples (rebased #818)
The attack scenarios had #2 listed twice. Updated to be correctly numbered from 1-4 with consistent bold formatting and brief titles. Rebased from PR #843 by @ChaoticGoose for 2025 reorganization. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: ChaoticGoose <20331882+ChaoticGoose@users.noreply.github.com>
Added a section for the upcoming OWASP Top 10 2025. Rebased from PR #816 by @ShehabAgain (with minor grammar fix). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: ShehabAgain <170355303+ShehabAgain@users.noreply.github.com>
Rebased from PR #832 by @tmendo. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Tiago Mendo <1278447+tmendo@users.noreply.github.com>
…o A02 A03: Add blank lines before bullet lists so they render as proper lists (from PR #828 by @za) A02: Add prevention point for using identity federation and short-lived credentials instead of static secrets (from PR #825 by @adanalvarez) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: za <409455+za@users.noreply.github.com> Co-Authored-By: Adan Álvarez <6905200+adanalvarez@users.noreply.github.com>
- Remove extraneous "it" from "if the application it:" - Add missing verb "use" in "both reuse passwords and use weak passwords" Rebased from PR #823 by @gavjl. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Gavin Johnson-Lynn <68402352+gavjl@users.noreply.github.com>
Fix italic markers and sentence-ending punctuation in Notable CWEs list. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Jan Klass <kissaki@posteo.de>
Fixes #887 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: timdnewman <43032684+timdnewman@users.noreply.github.com>
- Scenario #1: Use correct SQL injection payload `' OR '1'='1` instead of inconsistent UNION/SLEEP example - Scenario #2: Give HQL injection its own appropriate payload since HQL doesn't support UNION or SLEEP functions - Scenario #3: Add new OS command injection example with nslookup Fixes #848 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Philippe Arteau <philippe.arteau@gmail.com> Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds proactive defense recommendation to use staged rollouts or canary deployments to limit exposure when a trusted vendor is compromised. Fixes #835 Co-Authored-By: Boyen van Gorp <Boyen86@users.noreply.github.com> 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Merging to add proper links to A02 references section
Pre-launch review fixes: - Fix CWE-525 and CWE-539 links in X01 (pointed to wrong CWE numbers) - Fix "expoitability" typo in 0x02 (should be "exploitability") - Fix "Seurity" typo in A10 (should be "Security") - Clean up footnote formatting in 0x03 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Change default site redirect from 2021 to 2025 as the new current release. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove extra_css reference to RC-stylesheet.css now that 2025 is going live. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.