Update challenge configs from OWASP 2021 to 2025 IDs #9
Description
Challenge config files use OWASP 2021 category IDs in expectedApproach.owaspCategory (e.g., "A03:2021 Injection").
The OASIS website analyzer and compliance report system have been updated to use OWASP Top 10 2025 natively. The CLI validator pattern is year-agnostic so it already accepts 2025 format, but the challenge JSON files themselves still reference 2021.
What needs to change:
Every owaspCategory value in challenge configs needs updating to the 2025 equivalents:
| Old (2021) | New (2025) |
|---|---|
| A01:2021 Broken Access Control | A01:2025 Broken Access Control |
| A02:2021 Cryptographic Failures | A04:2025 Cryptographic Failures |
| A03:2021 Injection | A05:2025 Injection |
| A04:2021 Insecure Design | A06:2025 Insecure Design |
| A05:2021 Security Misconfiguration | A02:2025 Security Misconfiguration |
| A06:2021 Vulnerable Components | A03:2025 Software Supply Chain Failures |
| A07:2021 Auth Failures | A07:2025 Authentication Failures |
| A08:2021 Integrity Failures | A08:2025 Software or Data Integrity Failures |
| A09:2021 Logging Failures | A09:2025 Security Logging and Alerting Failures |
| A10:2021 SSRF | A01:2025 Broken Access Control (merged) |
Note: OWASP 2025 reshuffled positions — A03 and A05 swapped, A02 and A04 swapped, A10 (SSRF) merged into A01 (BAC), and new categories added (A03 Supply Chain, A10 Exceptional Conditions).
Reference: https://owasp.org/Top10/2025/
Metadata
Metadata
Assignees
Labels
No labels