The OWASP Top 10 is not a compliance checklist - it is a risk-ranked map of the vulnerabilities most commonly exploited in real-world web application attacks. Understanding what each category actually means in code, and how it gets found in testing, is far more valuable than treating it as a box-ticking exercise.
A01 - Broken Access Control
The top category for several years running, and for good reason. Broken access control covers a wide range of failures: horizontal privilege escalation (accessing another user's data), vertical privilege escalation (accessing admin-only functions), missing function-level authorisation checks, and insecure direct object references.
Testing approach: map all authenticated endpoints, then replay requests with different session tokens. Look for any response where the server returns data belonging to a different user or performs an action beyond the caller's role.
A02 - Cryptographic Failures
Formerly called "Sensitive Data Exposure", this category focuses on failures in the underlying cryptography - or the absence of it. Transmitting sensitive data over unencrypted channels, using outdated algorithms (MD5, SHA-1), storing passwords without proper hashing, and weak key management all fall here.
Testing approach: inspect all data transmission for use of TLS. Review storage mechanisms for passwords, tokens, and PII. Check cipher suite configurations.
A03 - Injection
SQL injection may no longer be the dominant web vulnerability it once was, but injection as a category - covering SQL, NoSQL, LDAP, OS command, expression language, and template injection - remains critically important. Modern ORMs have significantly reduced classic SQL injection, but server-side template injection and command injection in DevOps tooling remain common.
Testing approach: identify all input vectors that reach a backend system. Test with payloads crafted for each backend technology, including time-based blind variants where direct output is not visible.
A04 - Insecure Design
This category addresses flaws that cannot be fixed with a patch - they require redesign. Missing rate limiting on authentication flows, predictable resource IDs, workflows that allow state to be manipulated, and business logic that can be abused all fall here.
Testing approach: model the intended application flow, then systematically attempt to violate assumptions. Test what happens when steps are skipped, repeated, or executed out of order.
A05 - Security Misconfiguration
Default credentials, overly permissive CORS policies, unnecessary HTTP methods enabled, verbose error messages exposing stack traces, default admin interfaces left exposed - misconfiguration is ubiquitous because it requires active effort to avoid.
Testing approach: probe all configuration surface systematically. Check HTTP headers, CORS policy, error handling, and exposed administrative interfaces.
A06 - Vulnerable and Outdated Components
Your application is only as secure as its dependencies. Third-party libraries, frameworks, and runtime environments with known CVEs are a significant source of exploitable risk, particularly when organisations lack visibility into their full dependency tree.
Testing approach: enumerate all components and their versions. Cross-reference against known vulnerability databases. Assess exploitability in the context of the specific application.
A07 - Identification and Authentication Failures
Weak passwords accepted, credential stuffing not prevented, insecure "forgot password" flows, tokens that don't expire, session IDs that don't rotate on authentication - authentication failures give attackers a direct path to impersonation.
Testing approach: test all authentication flows including password reset and account recovery. Probe for rate limiting weaknesses. Inspect token entropy and expiry.
A08 - Software and Data Integrity Failures
Covers CI/CD pipeline attacks, insecure deserialisation, and applications that trust unsigned updates or data from external sources without verification. Supply chain attacks have made this category increasingly prominent.
A09 - Security Logging and Monitoring Failures
Not directly exploitable in isolation, but critical for detecting and responding to attacks. Applications that don't log authentication failures, that log sensitive data in plaintext, or that have no alerting on anomalous behaviour give attackers extended dwell time.
A10 - Server-Side Request Forgery (SSRF)
SSRF allows an attacker to induce a server to make requests to unintended destinations - internal services, cloud metadata endpoints, or other infrastructure that wouldn't otherwise be accessible. With cloud-native architectures, SSRF can be particularly impactful when it reaches the instance metadata service.
Testing approach: identify all server-side URL fetching. Test for internal network access, cloud metadata endpoint access, and protocol handling edge cases.
Understanding these categories in depth - and how they manifest in modern frameworks and deployment patterns - is the foundation of effective application security. Automated testing can cover the systematic detection of many of these consistently. The more nuanced logic flaws in A04 and A07 benefit most from human-guided review.