The OWASP categories have a lot of staying power. The exploits inside them do not. Reading through a 2026 finding queue, the named classes look familiar — broken access control, injection, insecure design — but the shape of each is unrecognizable from a 2017 textbook.
#A01 — Broken access control, in 2026 form
The classic admin-route-without-auth check still finds bugs occasionally. The dominant 2026 variant: GraphQL resolvers that authorize at the top-level query but not at nested field traversals. Tester probe: ask for fields you should not have on objects you can legitimately access.
# Authorized to read your own user. Resolver checks userId == viewer.id.
query {
user(id: "me") {
# But the 'organization' field's resolver doesn't recheck — it trusts
# that the parent already authorized the traversal.
organization {
members { # ← any user can list any org's members
id
email
}
}
}
}#A03 — Injection, with edge-runtime quirks
Classic SQLi is rarer in greenfield code, but the new injection surfaces are mostly in serverless and edge contexts: SSRF against metadata endpoints from misconfigured function runtimes, prompt injection into LLM-backed handlers, and command injection through container build steps.
#A04 — Insecure design (AI-generated code edition)
Code generation tools produce CRUD handlers without the parts that aren't generic. The endpoint compiles, passes the unit test, and is missing the org-scoping check that would prevent cross-tenant access. We see this pattern in roughly 1 in 6 engagements involving recently AI-augmented codebases.
Generated code looks plausible at review time. The missing pieces are the contextual checks — multi-tenancy, role enforcement, rate limiting — that a human engineer adds reflexively. Reviewers don't notice what isn't there.
#A07 — Identification and authentication failures
Federated identity is now the dominant attack surface in this category. OIDC trust policies in CI/CD platforms, OAuth redirect URI allowlists in B2B apps, SAML response signing bypass via XML canonicalization quirks — all common, all hard to spot without focused testing.
#A09 — Security logging and monitoring failures
The 2026 version: observability tooling unintentionally storing PII and secrets in trace spans, span attributes, or error reports. We find authentication tokens in error-tracking platforms more often than we find them in source code.
#Reading the list correctly
The Top 10 is a taxonomy, not a checklist. Reading it as a checklist produces programs that pass scans and ship vulnerable code. Reading it as a taxonomy — and asking 'what does this class look like in our specific stack' — produces programs that actually push down risk.
Writing about modern penetration testing, continuous security, and the operational details of running offensive work at scale.