Application Security · 2026
The OWASP Top 10 Explained in Plain English (2026)
The OWASP Top 10 is the most cited document in web security and one of the most misread. Here is each category translated into a sentence a non-specialist can understand, a real-world example of how it bites, and the one defense that matters most — with the relevant MITRE ATT&CK technique where it fits.
Quick answer
The OWASP Top 10 is a community-maintained awareness list of the ten most critical web application security risks. It is not a standard you certify against — it is the shared vocabulary engineers, auditors, and penetration testers use to talk about risk. The two highest-impact entries, broken access control and insecure design, require human judgment that scanners cannot supply.
The Open Worldwide Application Security Project publishes the Top 10 as a snapshot of the risks doing the most damage to real applications. It gets misused in two directions: people treat it as an exhaustive checklist (it is not — it is the floor), and people treat it as a compliance standard (it is not — you cannot certify against it). Used correctly, it is a coverage map and a common language.
For the short definition, see our glossary entry on what the OWASP Top 10 is. For how it differs from an automated scan, read pen test vs vulnerability scan. Below, each category gets the same three-part treatment: plain English, a real example, and the defense.
A01Broken Access Control
In plain English. The application lets a user do or see something they are not authorized to. This is now the most common high-impact web flaw.
Real-world example. A user changes the account ID in a URL from their own to a stranger's and the app happily returns the stranger's invoice — no permission check at all.
The defense. Enforce authorization on the server for every request, deny by default, and never trust an identifier supplied by the client. Test it with a low-privilege account, not an admin one.
ATT&CK link. Maps loosely to Valid Accounts (T1078) and privilege abuse once a foothold exists.
A02Cryptographic Failures
In plain English. Sensitive data is exposed because it was not encrypted, was encrypted weakly, or the keys were mishandled.
Real-world example. Passwords stored as unsalted MD5, or session tokens sent over plain HTTP on an internal admin tool that someone assumed nobody could reach.
The defense. Encrypt sensitive data in transit (TLS everywhere) and at rest, use modern algorithms and a vetted library, hash passwords with bcrypt/argon2, and manage keys in a secrets manager — never in source.
ATT&CK link. Feeds Adversary-in-the-Middle (T1557) and credential theft.
A03Injection
In plain English. Untrusted input is interpreted as a command. SQL injection is the classic, but the same flaw covers OS command, LDAP, and NoSQL injection.
Real-world example. A login form that builds a query by string concatenation, so typing ' OR '1'='1 into the username field logs an attacker in as the first user in the table.
The defense. Use parameterized queries / prepared statements and ORMs that bind parameters. Validate and encode output. Never build a query or shell command by concatenating user input.
ATT&CK link. A textbook Exploit Public-Facing Application (T1190).
A04Insecure Design
In plain English. The flaw is in the design itself, not the code. No amount of clean implementation fixes a feature that was unsafe by concept.
Real-world example. A password-reset flow that emails a 4-digit code with no rate limit and no lockout — the implementation is bug-free, but the design lets an attacker brute-force the code.
The defense. Threat-model features before building them, define abuse cases alongside use cases, and apply secure-by-design patterns (rate limits, lockouts, defense in depth) at the architecture stage.
ATT&CK link. Often the root cause behind Brute Force (T1110) success.
A05Security Misconfiguration
In plain English. Insecure default settings, verbose error messages, unnecessary features left enabled, or missing hardening.
Real-world example. A cloud storage bucket left publicly readable, a debug endpoint shipped to production, or default admin credentials never changed.
The defense. Harden every environment from a documented baseline, disable unused features, suppress stack traces in production, and verify configuration with automated checks in CI.
ATT&CK link. Enables Exploit Public-Facing Application (T1190) and exposure of secrets.
A06Vulnerable and Outdated Components
In plain English. Using a library, framework, or runtime with a known vulnerability — including transitive dependencies you did not choose directly.
Real-world example. An app pinned to a years-old version of a serialization library with a published remote-code-execution CVE that an attacker exploits with a public proof-of-concept.
The defense. Maintain a dependency inventory (SBOM), run npm audit / pip-audit / Dependabot, patch on a cadence, and remove components you no longer use.
ATT&CK link. Exploitation for Client Execution (T1203) and public-facing exploitation.
A07Identification and Authentication Failures
In plain English. Weaknesses in how the app proves who a user is — weak passwords, broken session handling, missing MFA, or credential stuffing exposure.
Real-world example. No rate limit on login plus no MFA, so a leaked password list from another breach is replayed until accounts fall.
The defense. Require MFA on sensitive accounts, rate-limit and lock out on failed logins, rotate and invalidate sessions properly, and check passwords against known-breached lists.
ATT&CK link. Brute Force (T1110) and Valid Accounts (T1078).
A08Software and Data Integrity Failures
In plain English. Code or data is trusted without verifying it was not tampered with — insecure deserialization, unsigned updates, or a compromised CI/CD pipeline.
Real-world example. A build pipeline that pulls a dependency from an unverified source, letting a poisoned package execute in your production build (a supply-chain attack).
The defense. Verify signatures on dependencies and updates, lock and review your CI/CD, use integrity checks (subresource integrity, signed artifacts), and never deserialize untrusted data into objects.
ATT&CK link. Supply Chain Compromise (T1195).
A09Security Logging and Monitoring Failures
In plain English. You cannot detect or investigate an attack because the right events were not logged, or the logs are not monitored.
Real-world example. An attacker enumerates accounts for weeks, but failed-login and authorization-denied events were never logged, so nobody noticed until customer data appeared for sale.
The defense. Log authentication, authorization, and high-value actions with enough context to investigate, centralize logs, alert on anomalies, and test that your alerts actually fire.
ATT&CK link. The absence that lets every other ATT&CK technique go unnoticed.
A10Server-Side Request Forgery (SSRF)
In plain English. The app fetches a URL supplied or influenced by the user, letting an attacker make the server request internal resources it should not reach.
Real-world example. An image-import feature that fetches any URL the user provides, which an attacker points at a cloud metadata endpoint to steal instance credentials.
The defense. Validate and allow-list outbound destinations, block requests to internal and metadata IP ranges, and do not let user input choose the host of a server-side request.
ATT&CK link. A pivot toward Cloud Instance Metadata API abuse and internal recon.
A worked example: chaining A01 into a breach
Categories rarely bite alone. The most damaging incidents chain two or three together, which is exactly what a penetration test is built to find. Consider a broken-access-control flaw on an API endpoint:
# A01 Broken Access Control: the ID is trusted, not checked.
GET /api/v1/users/1042/export Authorization: Bearer <low-priv token>
# Server returns user 1042's full record to a different user.
# Chain with A09: no log of the authorization-denied event...
# because the request was never denied. Nobody sees the export.One missing server-side check (A01) plus missing monitoring (A09) turns a single request into an undetected data export. A scanner sees a 200 OK and moves on. A human tester recognizes that the token belongs to a different user than the record, flags it as broken object-level authorization, and traces the lack of an alert. That is the difference between a real penetration test and scan output with a logo.
Mid-post: map your app against all ten
Want a structured pass over your application against every category? Start with our interactive checklist tool, then book a call to scope a real engagement.
Don't forget the API Top 10
The classic Top 10 was written for web applications. Modern apps are mostly an API behind a thin front end, and APIs have their own failure modes — which is why OWASP maintains a separate API Security Top 10. The standout entries are broken object-level authorization (API1) and broken object property-level authorization (API3), both of which are authorization bugs that the web list folds into A01 but that deserve dedicated attention in an API.
If you build or ship an API, treat both lists as mandatory. We go deep on the API side in our API security best practices guide, and our API development practice bakes these defenses in from the design stage.
Frequently asked questions
What is the OWASP Top 10?
The OWASP Top 10 is a periodically updated, community-driven list of the ten most critical web application security risks, published by the Open Worldwide Application Security Project. It is a risk-awareness document, not a checklist or a standard. Engineers use it as a shared vocabulary and a starting point for secure design; auditors and pentest reports map findings to it so non-specialists can understand impact.
Is the OWASP Top 10 a compliance standard?
No. It is an awareness document. You cannot 'certify' against the OWASP Top 10. However, many compliance frameworks reference it indirectly: PCI DSS expects coverage of common web vulnerabilities, and SOC 2 auditors look favorably on pentest methodologies that align to OWASP. Treat it as the floor of web security awareness, not the ceiling.
How often does the OWASP Top 10 change?
Roughly every three to four years. The current edition reorganized categories around root causes rather than individual bugs — for example, broken access control rose to the top spot, and categories like insecure design and software-and-data integrity failures were introduced. Because it shifts, treat the specific ranking as guidance and the underlying classes of flaw as durable.
What is the difference between the OWASP Top 10 and the OWASP API Security Top 10?
The OWASP Top 10 covers web applications broadly. The OWASP API Security Top 10 is a separate, API-specific list that emphasizes authorization flaws unique to APIs — broken object-level authorization, broken object property-level authorization, and unrestricted resource consumption. If you ship an API, you need both lists. Modern apps are mostly API behind a thin UI, so the API list is increasingly the one that bites.
How does a pentest use the OWASP Top 10?
A penetration tester uses it as a coverage map and a reporting taxonomy, not a script. During testing, the categories ensure no major risk class is skipped. In the report, each finding is tagged with its OWASP category and, where relevant, a MITRE ATT&CK technique, so both engineers and auditors can place the issue in a familiar framework and prioritize remediation.
Can automated scanners find all OWASP Top 10 issues?
No. Scanners are good at the mechanical categories — outdated components, missing security headers, some injection. They are poor at the categories that require understanding intent, especially broken access control and insecure design, which are the two highest-impact entries on the list. Those require a human who can reason about what a request should and should not be allowed to do.
Sources & references
- [1]OWASP Top 10 — Web Application Security Risks · OWASP
- [2]OWASP API Security Top 10 (2023) · OWASP
- [3]OWASP Application Security Verification Standard (ASVS) · OWASP
- [4]MITRE ATT&CK Enterprise Matrix · MITRE
Related reading and next steps
- Web Application Pentest service
- Penetration Testing service overview
- MITRE ATT&CK Assessment
- API Development service
- API security best practices (2026)
- What is penetration testing?
- Pen test vs vulnerability scan
- What is the OWASP Top 10?
- What is MITRE ATT&CK?
- Interactive OWASP checklist tool
- Talk to Bill about your web app security
Know the list. Now test against it.
A web app pentest maps every finding to the OWASP category and the ATT&CK technique it enables. Book a free scoping call and we'll cover the right depth for your app.
More application security reading
All postsWhat Is Penetration Testing? A Founder's Buyer Guide
What a pentest actually is, the five types you can buy, and what a real report looks like.
Read postWhat Is a Pen Test vs a Vulnerability Scan
Two very different security activities that get sold under the same label.
Read postPenetration Test Cost (2026)
Real pricing for web app, network, AD, and red team engagements.
Read post