IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. Guides
  3. OWASP Top 10 (2021) Explained

Standards explained

OWASP Top 10 (2021) Explained

The OWASP Top 10 is the most widely used awareness standard for web application security risks. Below is each 2021 category explained in plain language, with links into the knowledge graph where relevant.

A01: Broken Access Control

Users acting outside their intended permissions - IDOR/BOLA, privilege escalation, forced browsing. The top category, and the root cause of many serious breaches.

A02: Cryptographic Failures

Weak or missing protection of sensitive data in transit or at rest - weak algorithms, missing encryption, exposed secrets.

A03: Injection

Untrusted input interpreted as code or commands - SQL injection, command injection, SSTI, and cross-site scripting.

A04: Insecure Design

Flaws originating in design rather than implementation, addressable through threat modeling and secure design patterns.

A05: Security Misconfiguration

Insecure defaults, verbose errors, missing hardening, and (as of 2021) XXE from insecure parser configuration.

A06: Vulnerable and Outdated Components

Using components with known vulnerabilities - a software supply-chain risk addressed by software composition analysis.

A07: Identification and Authentication Failures

Weak authentication and session management, including credential stuffing, weak MFA, and flawed token handling.

A08: Software and Data Integrity Failures

Trusting code or data without integrity verification - insecure deserialization and unverified update pipelines.

A09: Security Logging and Monitoring Failures

Insufficient logging, detection, and response, letting attacks proceed unnoticed.

A10: Server-Side Request Forgery (SSRF)

Coercing the server into making requests to unintended destinations, often reaching internal or cloud metadata services.

Key takeaways

  • Broken Access Control (A01) is the most common serious risk category.
  • The Top 10 is an awareness baseline, not a complete test plan.
  • Real risk comes from chaining categories, not isolated findings.

FAQ

Is the OWASP Top 10 a checklist?

It is an awareness document of the most critical risk categories, not an exhaustive testing checklist. Use it to prioritize, but comprehensive testing covers far more than ten items.

Related

OWASPBroken Access ControlSSRF

Impactr puts this into practice - autonomously testing your web apps and APIs the way an attacker would, and proving every finding with a reproducible exploit.

Join the waitlist
← All guides
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub