> For the complete documentation index, see [llms.txt](https://ahmed-tarek.gitbook.io/security-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025.md). # owsap-top-10:2025 - [A10 Mishandling of Exceptional Conditions](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a10-mishandling-of-exceptional-conditions.md) - [Sensitive Data in Error Messages and Debug Code](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a10-mishandling-of-exceptional-conditions/sensitive-data-in-error-messages-and-debug-code.md): CWE-209, CWE-215, CWE-550, CWE-756 - [Uncaught Exceptions and Improper Recovery](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a10-mishandling-of-exceptional-conditions/uncaught-exceptions-and-improper-recovery.md): CWE-248, CWE-252, CWE-390, CWE-391, CWE-394, CWE-396, CWE-397, CWE-460, CWE-703, CWE-754, CWE-755 - [Fail-Open Vulnerabilities](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a10-mishandling-of-exceptional-conditions/fail-open-vulnerabilities.md) - [A09 Security Logging and Alerting Failures](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a09-security-logging-and-alerting-failures.md) - [Logging Vulnerabilities](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a09-security-logging-and-alerting-failures/logging-vulnerabilities.md): CWE-117, CWE-221, CWE-223, CWE-532, CWE-778 - [A08 Software or Data Integrity Failures](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a08-software-or-data-integrity-failures.md) - [Dependencies and Malicious Code Inclusion](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a08-software-or-data-integrity-failures/dependencies-and-malicious-code-inclusion.md) - [Embedded Malware and Dynamic Modification](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a08-software-or-data-integrity-failures/embedded-malware-and-dynamic-modification.md) - [Insecure deserialization](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a08-software-or-data-integrity-failures/insecure-deserialization.md) - [DLL Hijacking](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a08-software-or-data-integrity-failures/dll-hijacking.md) - [A07 Authentication Failures](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a07-authentication-failures.md) - [JWT Hacking](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a07-authentication-failures/jwt-hacking.md) - [Hardcoded & Default Credentials](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a07-authentication-failures/hardcoded-and-default-credentials.md): CWE-258, CWE-259, CWE-259, CWE-798, CWE-1392, CWE-1393 - [Authentication Bypass](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a07-authentication-failures/authentication-bypass.md): CWE-288, CWE-289, CWE-290, CWE-302, CWE-305 - [Certificate Validation Failures](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a07-authentication-failures/certificate-validation-failures.md): CWE-295, CWE-297, CWE-298, CWE-299, CWE-346: - [Session Security](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a07-authentication-failures/session-security.md): CWE-384, CWE-613, CWE-620, CWE-304, CWE-306 - [Dictionary Attacks and Recovery Exploits](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a07-authentication-failures/dictionary-attacks-and-recovery-exploits.md): CWE-307, CWE-521, CWE-640, CWE-1391, CWE-294 - [Network-Based Authentication Flaws](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a07-authentication-failures/network-based-authentication-flaws.md): CWE-291, CWE-293, CWE-300, CWE-350, CWE-940, CWE-941 - [A06 Insecure Design](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a06-insecure-design.md) - [Race Conditions](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a06-insecure-design/race-conditions.md) - [HTTP Request Smuggling](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a06-insecure-design/http-request-smuggling.md) - [UI Attacks](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a06-insecure-design/ui-attacks.md) - [Insecure File Upload and Path Traversal](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a06-insecure-design/insecure-file-upload-and-path-traversal.md): CWE-73, CWE-434, CWE-646 - [Sensitive Data Storage: Encryption, Caching, and Cookies](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a06-insecure-design/sensitive-data-storage-encryption-caching-and-cookies.md): CWE-256, CWE-311, CWE-312, CWE-313, CWE-316, CWE-522, CWE-525, CWE-539, CWE-598 - [Privilege Escalation and Trust Boundaries](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a06-insecure-design/privilege-escalation-and-trust-boundaries.md): CWE-266, CWE-269, CWE-286, CWE-501, CWE-602 - [A05 Injection](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a05-injection.md) - [Cross Site Scripting](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a05-injection/cross-site-scripting.md) - [Cross Site Scripting](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a05-injection/cross-site-scripting/cross-site-scripting.md) - [Exploitation](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a05-injection/cross-site-scripting/exploitation.md) - [Protections](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a05-injection/cross-site-scripting/protections.md) - [SQL Injection](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a05-injection/sql-injection.md) - [SQLmap](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a05-injection/sql-injection/sqlmap.md) - [NoSQL Injection](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a05-injection/nosql-injection.md) - [CRLF Injection](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a05-injection/crlf-injection.md) - [CST Injection ( CSTI )](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a05-injection/cst-injection-csti.md) - [Command Injection](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a05-injection/command-injection.md) - [A04 Cryptographic Failures](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a04-cryptographic-failures.md) - [Weak Algorithms and Inadequate Hashing](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a04-cryptographic-failures/weak-algorithms-and-inadequate-hashing.md): CWE-327, CWE-326, CWE-328, CWE-759, CWE-760, CWE-916,CWE-780 - [PRNG Failures and Predictable Secrets](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a04-cryptographic-failures/prng-failures-and-predictable-secrets.md): CWE-330, CWE-331, CWE-332, CWE-334, CWE-335, CWE-336, CWE-337, CWE-338, CWE-340, CWE-342, CWE-1241 - [Cryptographic Failure](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a04-cryptographic-failures/cryptographic-failure.md): this lab covers a lot of basic cwes like CWE-327, CWE-759, CWE-916, CWE-319, CWE-523 - [Weak Encoding for Password](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a04-cryptographic-failures/weak-encoding-for-password.md): CWE-261 - [Improper Following of a Certificate's Chain of Trust](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a04-cryptographic-failures/improper-following-of-a-certificates-chain-of-trust.md) - [Understanding Digital Certificates : Self-Signed and CA-Signed Certificate \*\*](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a04-cryptographic-failures/improper-following-of-a-certificates-chain-of-trust/understanding-digital-certificates-self-signed-and-ca-signed-certificate.md): extra knowledge - [Transport Layer Security (TLS) and SSL \*\*](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a04-cryptographic-failures/improper-following-of-a-certificates-chain-of-trust/transport-layer-security-tls-and-ssl.md): extra knowledge - [Clear Text Transmission Of Sensitive Data](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a04-cryptographic-failures/clear-text-transmission-of-sensitive-data.md) - [SSLStripping \*\*](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a04-cryptographic-failures/clear-text-transmission-of-sensitive-data/sslstripping.md): extra knowledge - [Cryptographic Key Management and Implementation](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a04-cryptographic-failures/cryptographic-key-management-and-implementation.md): CWE-321, CWE-322, CWE-323, CWE-324, CWE-523, CWE-325, CWE-347, CWE-757, CWE-1240 - [A03 Software Supply Chain Failures](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a03-software-supply-chain-failures.md) - [Use of Obsolete Function](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a03-software-supply-chain-failures/use-of-obsolete-function.md) - [Vulnerable and Outdated Components](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a03-software-supply-chain-failures/vulnerable-and-outdated-components.md): senarios cover : CWE-1035, CWE-1329, CWE-1357, CWE-1104, CWE-1395 - [A02 Security Misconfiguration](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a02-security-misconfiguration.md) - [Cookie Security](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a02-security-misconfiguration/cookie-security.md) - [XML External Entity](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a02-security-misconfiguration/xml-external-entity.md) - [Improper Model Validation](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a02-security-misconfiguration/improper-model-validation.md) - [Data Transmission Without Encryption](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a02-security-misconfiguration/data-transmission-without-encryption.md) - [CORS Miscofigration](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a02-security-misconfiguration/cors-miscofigration.md) - [Mail Server Misconfiguration](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a02-security-misconfiguration/mail-server-misconfiguration.md) - [Debug Binary Misconfiguration](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a02-security-misconfiguration/debug-binary-misconfiguration.md) - [Exposure of Sensitive Information Through Environment Variables](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a02-security-misconfiguration/exposure-of-sensitive-information-through-environment-variables.md) - [A01 Broken Access Control](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control.md) - [Path Traversal](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/path-traversal.md) - [Open Redirect](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/open-redirect.md) - [Symlink or Hard Link Following](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/symlink-or-hard-link-following.md) - [Confused Deputy](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/confused-deputy.md) - [Incorrect Default Permissions](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/incorrect-default-permissions.md) - [Forced Browsing](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/forced-browsing.md) - [Server-Side Request Forgery (SSRF)](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/server-side-request-forgery-ssrf.md) - [CSRF](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/csrf.md) - [Sensitive Cookie with Improper SameSite Attribute](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/csrf/sensitive-cookie-with-improper-samesite-attribute.md) - [csrf checklist](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/csrf/csrf-checklist.md) - [checklists](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/checklists.md) - [ATO](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/checklists/ato.md) - [idor checklist](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/checklists/idor-checklist.md) - [admin panal checklist](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/checklists/admin-panal-checklist.md) - [bussiness logic checklist](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/checklists/bussiness-logic-checklist.md) - [403 bypass](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/checklists/403-bypass.md) - [mass assignment](https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025/a01-broken-access-control/mass-assignment.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ahmed-tarek.gitbook.io/security-notes/owsap-top-10-2025.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.