Blog · C.01 · Pen Testing Deep-Dive

OWASP Top 10 2021 → 2026: what actually changed in real engagements

Five years of OWASP data mapped against hundreds of actual pen test findings. Broken Access Control still leads - but SSRF, injection and insecure design have shifted in ways the updated list doesn't fully capture. Here's what we're actually finding in 2026.

OWASP Web Security Broken Access Control SSRF 2026
Categories: A01 Broken Access Control · A02 Cryptographic Failures · A03 Injection · A04 Insecure Design · A05 Security Misconfiguration · A06 Vulnerable Components · A07 Auth Failures · A08 Integrity Failures · A09 Logging Failures · A10 SSRF Categories: A01 Broken Access Control · A02 Cryptographic Failures · A03 Injection · A04 Insecure Design · A05 Security Misconfiguration · A06 Vulnerable Components · A07 Auth Failures · A08 Integrity Failures · A09 Logging Failures · A10 SSRF
// TL;DR

The 2021 list reorganised the map but didn't capture everything the field is seeing in 2026. Broken Access Control (A01) dominates - it appears in over 60% of our web app engagements. SSRF moved from obscure to headline-critical as cloud-native architectures proliferated. Injection narrowed from SQL dominance to a multi-class problem including SSTI and prompt injection. Insecure Design (A04) is the most underappreciated category for SaaS companies. Here's the full picture.

// 01 Why the 2021 → 2026 delta matters

OWASP refreshes the Top 10 on a roughly four-year cadence, using a combination of CVE data, community survey responses, and contributed application security data. The 2021 edition was a significant overhaul - three new categories appeared, two were merged, and the overall framing shifted from "common vulnerability patterns" to "risk categories." The anticipated 2026 update carries that evolution further.

But the official list and what practitioners actually find in engagements are two different things. The list is backward-looking by design - it reflects the collective disclosure record of the last four years. Real engagements reflect the current production environment: modern SaaS architectures, cloud-native deployments, GraphQL APIs, AI-augmented applications, and the specific way developers use today's frameworks.

A01Broken Access Control - found in over 60% of our web app engagements
Increase in SSRF findings since cloud-native became mainstream (2021-2026)
A04Insecure Design - the category SaaS companies most consistently underestimate
38%Of critical findings we report are business-logic flaws not covered by any OWASP category

// 02 A01 - Broken Access Control: still #1, and widening

In 2017 the category was Broken Access Control - in 2021 it moved from #5 to #1. In 2026 engagements it hasn't budged. Every architecture that adds abstraction layers adds access-control surfaces: microservices, tenant isolation boundaries, RBAC permission trees, data-room sharing, admin impersonation flows. Developers secure the happy path; pen testers find the edges.

What we're finding in 2026

The dominant pattern in our current engagement data is BOLA (Broken Object-Level Authorization) - or IDOR as it was classically called. Modern SaaS platforms generate resource identifiers (UUIDs, slugs, numeric IDs) and expose them in URLs, API payloads and WebSocket messages. The authorisation check is supposed to verify that the caller owns the object. In roughly half of the applications we test, that check is absent, inconsistent across endpoints, or bypassable through HTTP method switching.

HTTP# Typical BOLA pattern - A01 finding
GET /api/v2/reports/3847 HTTP/1.1
Authorization: Bearer <tenant-A-token>

HTTP/1.1 200 OK
# Returns tenant-B report - no tenant check on object retrieval
{ "report_id": 3847, "tenant": "acme-corp", "data": {...} }

# Fix: bind object lookup to authenticated tenant context
# SELECT * FROM reports WHERE id = ? AND tenant_id = current_tenant()

The second pattern is vertical privilege escalation through mass assignment. Modern ORMs and serialisation libraries bind request payloads directly to model objects. When a developer forgets the allowlist, a low-privilege user can submit fields like role, is_admin, or billing_owner and elevate themselves in a single PATCH request. We find this in roughly one in four SaaS applications, usually on profile-update or onboarding endpoints.

// What changed 2021 → 2026

The attack surface grew. Multi-tenant SaaS, GraphQL APIs, microservice meshes and real-time WebSocket channels all introduced new authorisation surfaces that didn't exist at scale in 2021. The vulnerability class is identical; the number of places to test it doubled.

// 03 A02 & A03 - Cryptographic Failures and Injection: both evolved

Cryptographic Failures (A02)

In 2021 this category replaced "Sensitive Data Exposure" - a deliberate shift from "data was exposed" to "the cryptographic mechanism failed." In 2026 engagements, the most common finding in this category is JWT algorithm confusion. An application that accepts both RS256 (asymmetric) and HS256 (symmetric) tokens with the same key store can be attacked by re-signing an admin claim using the public RSA key as the HMAC secret. Libraries that were vulnerable to this in 2021 are still deployed in production.

The second-most-common cryptographic finding is weak token entropy - password reset tokens, email verification links, and API keys generated with insufficient randomness. We still find MD5 and SHA-1 in password hashing pipelines in legacy services, and TLS 1.0/1.1 on internal APIs that were never exposed to the internet hardening checklist.

Injection (A03)

SQL injection dominated A03 from 2013 to 2021. ORMs and parameterised queries have driven it down significantly in modern codebases - but injection as a class has diversified. In our 2026 engagement data, Server-Side Template Injection (SSTI) is now more commonly found than classic SQL injection in modern stacks. Applications using Jinja2, Twig, Nunjucks, Liquid, or Pebble with user-controlled template strings are trivially exploitable for remote code execution.

HTTP# SSTI probe - Jinja2 / Flask endpoint accepting template variables
POST /api/emails/preview
Content-Type: application/json

{ "subject": "Hello {{7*7}}", "template_id": "welcome" }

# Vulnerable response - template was evaluated server-side
{ "preview": "Hello 49", "subject": "Hello 49" }

# Escalation - code execution
{ "subject": "{{config.__class__.__init__.__globals__['os'].popen('id').read()}}" }

The third injection frontier in 2026 is prompt injection in AI-augmented applications. Applications that accept user input and pass it into LLM prompts without sanitisation can be manipulated to override system instructions, exfiltrate context, or produce adversarial outputs. OWASP's LLM Top 10 addresses this, but classic App Top 10 auditors are starting to include prompt injection test cases in standard engagements.

// 04 A04 - Insecure Design: the most underappreciated category

Insecure Design was introduced in 2021 as a new category distinct from implementation bugs - it covers threat modelling gaps, missing business-logic controls, and architectural decisions that make a system insecure by construction regardless of how carefully the code is written. It's the hardest category to "fix" because the fix often requires architectural change, not a code patch.

In practice, the most common Insecure Design findings we report are race conditions in transactional flows. A payment or inventory system that doesn't hold row-level locks during concurrent operations can be exploited to stack discounts, over-claim free-tier limits, or execute transfers that exceed balance. No scanner can find this - it requires understanding the business invariant and crafting a concurrent attack.

"Insecure Design is the category that keeps us employed five years from now. You can patch an injection vulnerability in an afternoon. You can't patch a payment architecture that was never designed to handle concurrent writes."

CyberFortify offensive security team

// 05 A05-A10: what moved, what faded, what's new

A05

Security Misconfiguration

Still broad, but the dominant finding shifted from exposed admin panels and default credentials to cloud IAM misconfigurations - overprivileged Lambda execution roles, public S3 buckets with no bucket policy, and API Gateway endpoints missing authorisers. In 2026, cloud misconfiguration is the leading entry point in our external network assessments.

A06

Vulnerable Components

Software composition analysis (SCA) tooling has improved substantially - most mature pipelines have dependency scanning. But transitive dependencies remain a blind spot. The 2021 Log4Shell incident demonstrated this at scale. In 2026, the risk migrated to ML/AI libraries: transformers, langchain, and model-serving frameworks introduce supply-chain exposure that SCA tools don't yet fully model.

A07

Identification & Auth Failures

Password flows are better guarded now - bcrypt/Argon2 adoption is mainstream. The live finding in this category is OAuth2 and OIDC misconfiguration: open redirect in the redirect_uri parameter, PKCE not enforced, state parameter not validated, and implicit grant still enabled. Social login integrations introduced in the last two years are disproportionately likely to have these issues.

A08

Software & Data Integrity Failures

This category consolidates insecure deserialisation and CI/CD pipeline integrity. The insecure deserialisation finding count dropped significantly as Java / PHP frameworks updated their serialisation libraries. What replaced it: unsigned GitHub Actions workflows, third-party CDN script inclusion without SRI, and auto-update mechanisms that don't verify signatures. Supply-chain attacks are the 2026 expression of this category.

A09

Security Logging & Monitoring Failures

This is the category that most directly enables defenders. In 2026, the finding we report most is the absence of structured audit logging for sensitive operations - admin privilege grants, cross-tenant data access, payment flow mutations. Without this, a breach can persist for months. We include logging coverage in every deliverable because detection maturity directly affects the blast radius of vulnerabilities we find in the same engagement.

A10

Server-Side Request Forgery

SSRF was added in 2021 - it was the highest-scoring category by community survey despite relatively low incidence. The survey was right: SSRF in cloud environments is a critical finding because the path from SSRF entry point to full tenant compromise via the AWS IMDS credential theft chain is reliable and devastating. We now treat SSRF as critical-by-default in cloud-deployed applications.

// 06 What the list still doesn't capture in 2026

The OWASP Top 10 is a risk awareness document, not an exhaustive test plan. There are vulnerability classes that appear frequently in our engagement data that don't map cleanly to any single category - and that list is growing as application architectures evolve.

GraphQL-specific attack surface

Introspection abuse, batching attacks, alias-based rate-limit bypass, and object-level authorisation across nested resolvers are GraphQL-specific findings that don't fit neatly into A01 or A03. Any application exposing a GraphQL endpoint needs a dedicated test plan beyond OWASP mapping.

Multi-tenancy boundary failures

The 2021 OWASP list has no category specifically for tenant isolation failures. Cross-tenant data access is arguably the highest-impact finding in modern SaaS - a single BOLA vulnerability in a shared data layer can expose every tenant's data. This falls under A01, but the specific attack surface - shared databases, shared queues, shared caches - deserves explicit test coverage.

Business logic abuse

Race conditions, coupon stacking, refund chaining, inventory manipulation and referral abuse all live under A04 (Insecure Design), but the testing methodology is completely different from any other category. You need to understand the application's business rules before you can test whether they're enforced. No automated tool can do this. 38% of critical findings we report are business-logic flaws - none of them map cleanly to a single OWASP category.

// 07 How to update your test plan for 2026

If your test scope is currently "OWASP Top 10 coverage," the following additions will meaningfully close the gaps between the list and what a 2026 attacker will actually exploit.

Add →

Tenant isolation test cases

Explicitly test cross-tenant data access on every API endpoint that returns resource objects. This is not default behaviour in most test plans derived purely from OWASP categories.

Add →

SSRF in cloud metadata

Any endpoint that accepts a URL parameter - webhooks, integrations, file imports, avatars - must be tested for SSRF reaching cloud metadata services. Treat it as critical-by-default in AWS/Azure/GCP deployments.

Add →

Race condition testing on transactional flows

Use Burp Intruder or Turbo Intruder to send parallel requests to payment, inventory, and coupon endpoints. Map all invariants first, then attack them concurrently.

Add →

JWT and OAuth2 protocol testing

Test alg:none, RS256→HS256 confusion, PKCE enforcement, redirect_uri validation, and token scope escalation. These don't appear as explicit test cases in most OWASP-derived checklists.

Add →

SSTI for template-heavy endpoints

Any endpoint that accepts user input that influences output format - email templates, PDF generators, notification bodies, report builders - is a candidate for SSTI. Probe with mathematical expressions before escalating.

Add →

Prompt injection for AI features

For applications with LLM-powered features - search, summarisation, chat, code generation - test whether user input can override system prompts, exfiltrate the prompt context, or elicit policy-violating outputs.

// 08 Mapping the 2026 findings to compliance requirements

Every finding CyberFortify reports is mapped to OWASP category, CWE, CVSS v3.1, and the relevant compliance control. For organisations using pen test results as audit evidence, the table below shows the most common 2026 findings and their compliance touchpoints.

FindingOWASPSOC 2ISO 27001PCI DSS v4
BOLA / IDORA01CC6.1A.8.3Req 7
SSRF → IMDSA10CC6.6A.8.20Req 6.2
JWT alg confusionA02CC6.1A.8.24Req 8.6
SSTI / RCEA03CC7.1A.8.29Req 6.3
Mass assignmentA01CC6.3A.8.3Req 7.2
Race conditionA04CC6.1A.8.29Req 6.2
Verbose error leakageA05CC7.2A.8.9Req 6.3
Missing audit loggingA09CC7.2A.8.15Req 10

// 09 The bottom line

The OWASP Top 10 is essential reading - but treating it as a test checklist rather than a risk map leads to incomplete engagements. The 2021 list correctly elevated Broken Access Control and added SSRF; the 2026 revision will reflect the rise of insecure design in cloud-native systems and the new injection surfaces that AI-augmented applications introduce.

What doesn't change: the gap between what automated tools find and what a skilled manual tester finds. Scanners can surface misconfiguration and known CVEs. They cannot model tenant isolation boundaries, abuse business logic, chain SSRF into credential theft, or find the JWT confusion that requires understanding the identity architecture. That gap is why manual pen testing remains the most valuable security investment a modern SaaS company can make - and why the OWASP Top 10 is a starting point, not an endpoint.

Web Application Pentest Checklist - 2026 Edition

156 test cases covering all OWASP categories plus tenant isolation, race conditions, JWT/OAuth2 protocols, GraphQL and AI prompt injection. Updated for 2026 architectures.

Get the checklist →
CY

CyberFortify Research

Offensive Security Team

Field notes from active web application, API, cloud and mobile penetration testing engagements. All findings are anonymised and published with client consent. CyberFortify is a Bahrain-based penetration testing company founded by Usama Gul.

Want to see your application mapped against the 2026 reality?

Schedule a free 30-minute scoping call. We'll review your stack, identify the highest-risk categories for your architecture, and quote a fixed-price engagement that produces audit-ready evidence.

Schedule scoping call → Web app pen testing →