feature: add OWASP Top 10 2025 and API Top 10 2023 standard mappings#293
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #293 +/- ##
==========================================
+ Coverage 93.44% 94.52% +1.07%
==========================================
Files 5 5
Lines 290 292 +2
==========================================
+ Hits 271 276 +5
+ Misses 19 16 -3 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Code Review Summary
Total Issues Found: 4
Critical Issues: 1
Suggestions: 1
Key Findings
-
Critical — Systemic incorrect OWASP API Top 10 mapping:
API3_2023(Broken Object Property Level Authorization) is incorrectly mapped to all injection-type vulnerabilities (15+ entries including SQL Injection, XSS, Command Injection, etc.). API3_2023 is semantically about excessive data exposure and mass assignment, not input validation/injection. These mappings should be corrected across all affected entries. -
Inconsistency in HTTP Host Header Poisoning: This entry has a different (and arguably more correct) API mapping compared to other A03_2021 injection entries, creating an inconsistency that needs resolution.
-
Unverified OWASP Top 10 2025 categories: The 2025 category values appear to use a direct number-swap from 2021 without verification against the official standard.
Please address the systemic API3_2023 mapping issue across all injection-type entries, not just the ones highlighted individually below.
| ], | ||
| "OWASP_TOP_10_2025": [ | ||
| "A03_2025" | ||
| ], |
There was a problem hiding this comment.
Bug — Incorrect OWASP API Top 10 Mapping
The mapping of SQL Injection to API3_2023 (Broken Object Property Level Authorization) appears incorrect. OWASP API Top 10 2023's API3 is specifically about excessive data exposure and mass assignment (authorization flaws), not injection vulnerabilities. SQL Injection is fundamentally an input validation/neutralization issue. The API Top 10 2023 does not have a dedicated 'injection' category since injection is covered by the general OWASP Top 10. If injection vulnerabilities must be mapped to the API Top 10, only API8_2023 (Security Misconfiguration) is arguably appropriate, as it covers broader security hygiene issues. Consider removing API3_2023 from this mapping.
⚠️ This same issue affects ALL injection-type entries in this PR (Command Injection, Code Injection, XSS, LDAP Injection, CRLF Injection, SSI Injection, Expression Language Injection, XML External Entity, Unrestricted File Upload, XPath Injection, NoSQL Injection, Server-Side Template Injection, XML Injection) — they all incorrectly map toAPI3_2023. Please review and correct all of them.
| ], | |
| "OWASP_API_TOP_10": [ | |
| "API8_2023" | |
| ] |
| "OWASP_TOP_10": [ | ||
| "A03_2021" | ||
| ], | ||
| "OWASP_TOP_10_2025": [ |
There was a problem hiding this comment.
Bug — Incorrect OWASP API Top 10 Mapping
Same issue as SQL Injection: CRLF Injection is mapped to API3_2023 (Broken Object Property Level Authorization) which is not semantically related to injection vulnerabilities. API3 covers excessive data exposure and mass assignment. CRLF Injection is an input validation issue. Consider removing API3_2023 and keeping only API8_2023 if the API mapping is needed.
| "OWASP_TOP_10_2025": [ | |
| "OWASP_API_TOP_10": [ | |
| "API8_2023" | |
| ] |
| "OWASP_TOP_10": [ | ||
| "A03_2021" | ||
| ], | ||
| "OWASP_TOP_10_2025": [ |
There was a problem hiding this comment.
Bug — Inconsistent OWASP API Top 10 Mapping
HTTP Host Header Poisoning is mapped to A03_2021 (Injection) in OWASP Top 10, but unlike other injection entries, it only gets API8_2023 without API3_2023. This is inconsistent with the pattern used for all other A03 entries (SQL Injection, XSS, Command Injection, etc.) which get both API3_2023 and API8_2023. Either this entry is missing API3_2023, or the other entries have API3_2023 incorrectly. Please ensure consistency across all entries in the same category. If the API3 mapping is indeed incorrect for injection vulnerabilities (as noted in other comments), this entry's mapping may actually be the correct one to follow.
| "OWASP_TOP_10_2025": [ | |
| "OWASP_API_TOP_10": [ | |
| "API3_2023", | |
| "API8_2023" | |
| ] |
| "M10_2024", | ||
| ] | ||
|
|
||
| OWASP_TOP_10_2025 = [ |
There was a problem hiding this comment.
Bug — Unverified OWASP Top 10 2025 Category Mapping
The OWASP Top 10 2025 category values (A01_2025 through A10_2025) appear to use a direct number-swap from OWASP Top 10 2021 (A01_2021 → A01_2025, etc.). Please verify this against the official OWASP Top 10 2025 standard definition. If the 2025 standard redefines the categories (e.g., different vulnerability types at the same position, or rearranged/reorganized categories), the per-entry mappings in the meta.json files may need to be adjusted rather than using a simple year substitution. If a documented mapping guide exists from OWASP, it should be followed instead of assuming a 1:1 correspondence.
| OWASP_TOP_10_2025 = [ | |
| # TODO(OWASP-2025): Verify category mapping against official OWASP Top 10 2025 | |
| # standard. Current values assume 1:1 correspondence with 2021 categories which | |
| # may not be accurate. Per-entry mappings in meta.json files may need adjustment. | |
| # Reference: https://owasp.org/www-project-top-ten/ | |
| OWASP_TOP_10_2025: list[str] = [ | |
| "A01_2025", | |
| "A02_2025", | |
| "A03_2025", | |
| "A04_2025", | |
| "A05_2025", | |
| "A06_2025", | |
| "A07_2025", | |
| "A08_2025", | |
| "A09_2025", | |
| "A10_2025", | |
| ] |
Summary
Added OWASP_TOP_10_2025 and OWASP_API_TOP_10 category mappings to all 123 WEB_SERVICE KB entries. Each entry with an existing OWASP_TOP_10 (2021) mapping now includes a corresponding OWASP_TOP_10_2025 value. API-relevant entries (GraphQL, injection, auth, CORS, misconfiguration, etc.) are additionally mapped to OWASP API Top 10 2023 categories.
Changes
Fixes ticket https://report.ostorlab.co/o/os/remediation/tickets/os-31440