OWASP Top 10:2025, BOLA and XSS as major business risks

If you want to go deeper into practical security testing, also read GraphQL security testing with Playwright, why security testing became a key hard skill for SDET, and how to build a practical Application Security learning path.

Why the OWASP Top 10:2025 update matters for business

Updated for July 2026. In November 2025, the new OWASP Top 10 was announced at the OWASP Global AppSec Conference in Washington, DC. In January 2026, the final OWASP Top 10:2025 release became available, and it is now the active reference point for modern web application and API risk discussions.

For business leaders, this is not just another security list. It is a practical signal that the threat landscape keeps shifting, while many engineering teams still rely too much on generic scanners and not enough on real understanding of product logic, authorization rules, and browser-side risk. The result is predictable: some of the most expensive incidents still come from vulnerabilities that are simple to exploit and surprisingly hard to detect automatically.

That is why the important question in 2026 is no longer “Do we have security tools?” but “Can our team find the risks that security tools do not truly understand?” If the answer is unclear, the company is already exposed. A CI pipeline can look mature, dependencies can be scanned, and external pentests can still leave a dangerous gap if the team does not know how to test trust boundaries, ownership checks, and unsafe rendering paths.

The business takeaway: OWASP Top 10:2025 reinforces what strong AppSec teams already see in production. Broken access control and browser-side injection are still among the highest-impact risks because they target the core trust model of the product.

What changed in OWASP Top 10:2025

If you compare the 2021 and 2025 editions, a few movements stand out immediately. Some categories moved up or down, and new focus areas entered the ranking. But the important thing for a CTO or engineering manager is not just the order itself. The real value lies in the management conclusions behind those changes.

Rank OWASP Top 10 2021 OWASP Top 10 2025
#1 Broken Access Control Broken Access Control
#2 Cryptographic Failures Security Misconfiguration
#3 Injection Software Supply Chain Failures
#4 Insecure Design Cryptographic Failures
#5 Security Misconfiguration Injection
#10 Server-Side Request Forgery Mishandling of Exceptional Conditions

At leadership level, the message is clear. First, Broken Access Control remains number one, which means authorization errors are still the most dangerous and most common product-level risk class. Second, Injection moved down, but that does not mean XSS or related payload-driven problems became harmless. It means other categories, especially misconfiguration and supply-chain risk, became even more visible.

The addition of Software Supply Chain Failures makes sense in a world built on open-source packages, CI pipelines, container images, and distributed delivery workflows. The new emphasis on Mishandling of Exceptional Conditions is also important: fail-open logic, weak error handling, and unsafe exceptional states can create serious abuse paths even when the normal path looks secure.

  • BOLA lives inside the highest-ranked category. It is not a niche API issue. It is a core business risk.
  • XSS still lives inside Injection. Browser-side execution and token theft remain very real attack patterns.
  • Automation without human understanding is not enough. Many teams can run tools, but fewer teams can test the trust model of the product itself.

Why BOLA remains the number one threat in 2026

BOLA (Broken Object Level Authorization) happens when the system confirms that a user is authenticated, but fails to confirm whether that same user is allowed to access a specific object. That object can be a profile, invoice, draft, order, support ticket, transaction, wallet, document, tenant-scoped record, or any business entity exposed through the API.

In practice, the exploitation is often painfully simple. A user opens a valid request to their own object, changes the identifier, and suddenly gets access to someone else’s data. If the API returns HTTP 200 with another person’s payload, the company already has a real problem: data leakage, tenant isolation failure, abusive content modification, privilege confusion, or exposure of sensitive records.

GET /api/users/123   -> owner's data
GET /api/users/456   -> another user's data

The system validated the token.
The system did not validate access rights to object 456.

That is why BOLA is so dangerous. Being logged in is not enough. The system must validate who is making the request, which object is being requested, which role or ownership rule applies, and whether the action is valid in the current tenant, workflow state, and business context.

Why scanners are bad at finding BOLA

SAST can read code, but it does not understand your domain model. It does not know whether a support operator should see a customer’s contract, whether a teacher should access another student’s progress, or whether an affiliate manager should view another partner’s commission records. It sees patterns. It does not see business ownership.

DAST has a different limitation. If it sends a request, receives HTTP 200, and gets a valid-looking JSON document back, it often cannot infer that the payload belongs to the wrong user. For the scanner, the request “worked.” For a human who understands the product, it is a critical access-control failure.

That is why BOLA belongs to the class of vulnerabilities that teams must learn to find manually first and then convert into their own regression tests. This is exactly where strong AppSec, API Security, or QA Automation specialists create disproportionate value: they turn product logic into repeatable negative checks.

Why business leaders should care so much about BOLA

OWASP and API Security research have repeatedly highlighted object-level authorization issues as one of the largest and most expensive sources of API risk. That makes sense. Modern products are API-first, mobile-heavy, multi-tenant, role-driven, and increasingly distributed. Every additional object and every additional role creates another place where a developer can make the wrong assumption.

BOLA is especially dangerous because it rarely “looks like hacking” in logs. The user is authenticated. The token is valid. The endpoint is legitimate. The request structure is normal. That is why many companies discover the problem only after a customer complaint, a bug bounty report, or a full-blown external incident.

BOLA is not only a data leak risk. It is a trust-model failure. It tells the business that the product may not correctly understand who is allowed to touch which business objects and under what conditions.

Why XSS is still critical in 2026

On paper, Injection moving from number three to number five can mislead people into thinking that XSS is becoming less relevant. That is the wrong conclusion. XSS is not safer in 2026. It is simply competing with a wider set of visible product risks. SPAs, admin panels, partner portals, dashboards, internal operations tools, and rich-content surfaces remain exposed to reflected, stored, and DOM-based XSS.

In real systems, XSS shows up in unsafe HTML rendering, weak markdown handling, badly sanitized content, third-party widgets, analytics snippets, user-generated templates, and dangerous DOM manipulation. Teams often assume that the framework will “just handle it,” but once custom rendering paths or browser-side mutations appear, that assumption becomes fragile very quickly.

The business impact of XSS goes far beyond a demo popup. In a mature attack chain, XSS can lead to stolen session data, stolen JWTs, abuse of a privileged browser session, hidden administrative actions, or execution of malicious flows on behalf of a legitimate user. If the victim is an operator or admin, the impact escalates even faster.

Why XSS belongs next to BOLA in the same conversation

These are different vulnerability classes, but in real attack chains they often support each other. XSS can provide token access, session abuse, or browser-side action execution. Once the attacker can act as a valid user, BOLA opens the next step: horizontal movement across business objects in the API.

  • XSS opens the front door: it gives code execution inside the victim’s browser context.
  • BOLA opens the internal rooms: it lets the attacker move across objects they should not see or modify.
  • Together they turn a local bug into a real business incident.

That is why a training program that combines BOLA and XSS has strong practical logic. It teaches the team to think in complete exploitation paths, from browser-side injection to API-side authorization failure.

Why BOLA and XSS should be taught together instead of in separate silos

Many companies train teams in fragments: secure coding in one session, frontend hygiene in another, API testing somewhere else, and pentest awareness as a separate topic. The result is often false confidence. Everyone learns their own piece, but very few people see how those pieces connect into an actual attack path.

When developers, QA engineers, and tech leads see BOLA and XSS in the same learning flow, they begin to understand risk architecture much better. Frontend engineers see how unsafe rendering can become the start of API abuse. Backend engineers see that a valid JWT is not the same thing as valid object-level authorization. QA Automation and SDET engineers see which scenarios should become repeatable negative checks inside the pipeline.

From a business perspective, that is much more valuable than two disconnected classes. The team leaves with a practical model of where to look, how to reproduce, what to fix, and which controls should show up in code review, test design, and CI/CD.

Real cases and market signals in 2025–2026

One of the strongest arguments for this kind of training is that BOLA and XSS are not abstract lab problems. They continue to appear in real products, CMS platforms, internal tools, and even widely trusted libraries. Publicly discussed cases from 2025 and 2026 show how a single logic flaw in an API can expose large amounts of data, and how an XSS issue in a broadly used component can create downstream risk across many integrations.

Incident What happened Business lesson
Sapphos (2025) A BOLA-like issue exposed data from thousands of users over a short period. An API can look healthy and still be critically unsafe at the authorization layer.
StudioCMS (2026) Access-control mistakes allowed editing of drafts and content owned by other users. Even non-payment objects can become sources of sabotage, privacy risk, and reputation damage.
OWASP Java HTML Sanitizer (2026) Even mature sanitization libraries can end up with XSS-relevant weaknesses or bypasses in real scenarios. You cannot outsource all responsibility to a library. Context-aware review still matters.

AppSec teams and API Security vendors have been repeating the same point for years: logical vulnerabilities are not discovered automatically with the same confidence as technical pattern-based flaws. That is why expert commentary from sources such as 42Crunch, Akto, and AppSecEngineer keeps returning to the importance of role analysis, ownership validation, and business-context testing.

In process terms, the message is simple. Business does not just need a yearly pentest. It needs a team that knows how to search for these issues before release: during API design, code review, threat modeling, negative testing, and privilege review. Without that, even good external tools only provide partial coverage.

What one incident really costs

When companies say, “We are not ready to invest in practical security training,” the fastest way to reframe the discussion is to speak in incident economics. IBM’s 2025 data breach cost reporting put the average breach cost at around $4.88 million. That is already a large number, but the real figure for a specific business can be higher depending on customer sensitivity, region, compliance exposure, and business interruption.

If the company handles EU user data or any sensitive customer information, the purely technical damage is only part of the picture. GDPR fines can reach 20 million euros or 4% of annual global turnover. And even before the formal penalty stage, the incident triggers a chain of expensive activities.

Cost area Typical range
Incident investigation $50,000 – $200,000
Customer and partner notification $100,000 – $500,000
Legal, compliance, and external advisors $200,000 – $1M
Regulatory penalties up to $20M+
Customer churn and reputation repair from $500,000 upward
Total $1M – $20M+ and sometimes much more

Against that backdrop, 10,000 euros for focused practical training is not an expensive line item. It is a low-cost way to reduce the probability of a very expensive mistake, especially for teams building API-heavy systems, tenant-separated platforms, client portals, internal consoles, payment workflows, or data-sensitive products.

The business is not really buying “10 hours of lectures.” It is buying better engineering decisions, better code review, more useful security test cases, fewer blind spots in the API, and less dependence on tools that cannot reason about your ownership model.

What a 10-hour training program can look like

If this training is done properly, it should not be a theoretical overview of vulnerability names. It should be a compact, hands-on business program tied to real product patterns. A strong structure is two five-hour blocks: the first day focused on BOLA and authorization logic, the second focused on XSS and browser-side exploitation.

Day 1. BOLA and object-level authorization in APIs

  • Module 1: what BOLA is, why it sits inside A01 in OWASP Top 10:2025, and where teams confuse authentication with authorization.
  • Module 2: lab work on finding BOLA in a realistic API: ID substitution, horizontal and vertical privilege abuse, ownership analysis, tenant isolation, and unsafe bulk actions.
  • Module 3: defense patterns: object-level checks, defensive design, identifier strategy, denied-access logging, and negative tests in CI.

Day 2. XSS and browser-side exploitation

  • Module 1: reflected, stored, and DOM XSS in 2026, plus why SPA frameworks do not guarantee automatic safety.
  • Module 2: hands-on exploitation: unsafe sinks, sanitization bypass thinking, dangerous third-party scripts, and realistic impact on business workflows.
  • Module 3: defense: context-aware escaping, CSP, secure rendering, security headers, and review checklists for frontend and backend teams.

In the best version of this program, the team leaves not only with notes but with concrete artifacts they can reuse immediately:

  • a code review checklist for authorization and rendering risks;
  • attack scenarios customized to the product’s own API and UI patterns;
  • an example BOLA regression test that can be added to the pipeline;
  • a practical XSS review checklist for rich-content and UI flows;
  • updates to the team’s internal secure coding guidance.

That is what makes the training business-relevant rather than academic. Leadership does not need people who “heard about OWASP.” Leadership needs new controls showing up in design reviews, code review, and CI/CD within days after the training.

What the business gets after this kind of training

Good security training does not pay off through certificates or pretty slides. It pays off through changed engineering behavior. After a strong practical BOLA and XSS workshop, developers think differently about ownership and trust boundaries. QA and SDET engineers stop limiting themselves to happy-path automation and begin writing negative security scenarios. Team leads become more precise about what must be challenged during review.

  • Developers catch BOLA and XSS earlier. Not after a pentest and not after an incident, but during feature implementation.
  • The team depends less on scanner blind spots. They know what must be checked manually and what should become custom automation.
  • Code review becomes sharper. Shared criteria appear for ownership checks, rendering paths, and risky integrations.
  • A security regression pack starts to exist. Critical attack paths stop living only in a pentest report and start living in the pipeline.
  • CTOs get a more predictable risk profile. Fewer surprises, fewer “we did not realize this action could be called that way.”

The most important shift is that the team stops confusing two very different conditions: “the user is successfully authenticated” and “the user is allowed to touch this exact object and perform this exact action.” A huge percentage of expensive API incidents is built on that confusion.

What a CTO or security lead should do next

If you read OWASP Top 10:2025 without illusions, the conclusion is straightforward. BOLA and XSS are not outdated classroom examples. They are active, commercially dangerous vulnerability classes that still reach production and are still missed by automation when the team lacks product-level security thinking.

For a CTO, the core question should not be “Do we have a scanner?” but “Can our team recognize where a user crosses into another person’s object, and where the browser starts executing untrusted content?” If that answer is weak, the exposure already exists.

A practical next step is to run a focused internal self-assessment on both API and frontend trust boundaries, then build hands-on training around those same findings. That is faster and cheaper than waiting for an external incident, explaining it to lawyers, and apologizing to customers after the fact.

If one developer ships a BOLA or XSS flaw, the downstream cost can easily exceed the annual training budget for the whole team. That is why investing in practical AppSec training pays back at the moment of the first incident that never happens.

To continue this topic, it makes sense to also read the GraphQL security testing guide, how to embed security checks into the SDET stack, and how automation engineers can move into AppSec and DevSecOps.

Related articles

Sources for independent review

  • OWASP Top 10:2025 release materials and OWASP Global AppSec announcement context.
  • OWASP API Security Top 10:2023 for BOLA as a core API authorization risk.
  • Research and expert commentary from 42Crunch, Akto, and AppSecEngineer on logical API vulnerabilities.
  • Public XSS-related case materials, including OWASP Juice Shop and sanitizer-library discussions.
  • IBM Cost of a Data Breach 2025 and public GDPR fine guidance.

If you want to assess how ready your team really is for BOLA and XSS risk, message me on Telegram.

I help companies audit REST APIs, review Broken Access Control and XSS scenarios, and run practical training sessions for developers, QA, and security teams: @faroeman.

Join the Telegram channel