OWASP Top 10 2026 — A Practical Checklist for Engineering Teams

Published April 26, 2026 · 13 min read

OWASP publishes the Top 10 Web Application Security Risksroughly every four years from contributed CVE telemetry plus a community survey. The 2026 release tightens scope around access control failures, server-side request forgery, and insecure design — three categories that dominated breach post-mortems across 2024-2025. This checklist gives application security engineers a per-category test plan with concrete payloads, CVE references, and remediation gates you can wire into CI before your next release.

Treat this document as a CI contract, not a marketing slide. Each section ends with a test case you can express as an integration test, a Burp Macro, or a Nuclei template. If a release ships without green status against these checks, your auditor (SOC 2 CC7.1, PCI DSS 11.4, ISO 27001 A.8.28) already has the finding written for them.

A01:2026 — Broken Access Control

Still the number-one risk by both incidence and impact. The 2026 list folds missing function-level access control and insecure direct object references (IDOR) into a single bucket. Recent CVE-2024-4577 (PHP CGI argument injection used to seize admin paths) and CVE-2023-22515 (Confluence Data Center privilege escalation, scored CVSS 10.0 by Atlassian) are textbook A01 cases. Test for forced browsing, JWT alg=none downgrade, tenant-id swap on every authenticated endpoint, and role escalation via mass-assignment.

• Enumerate every state-changing route — diff POST/PUT/PATCH/DELETE across user roles using a matrix of (role, endpoint, expected status).
• Test object IDs by replacing your own UUID with another tenant's. Predictable integer IDs are an automatic finding.
• Bypass attempts: X-Original-URL, X-Rewrite-URL, trailing-slash, double URL-encoded segments, ..%2f path traversal at proxy boundaries.
• Validate JWT signature, kid header (block path traversal in kid), and reject alg=none at the gateway, not just the app.
• Mass-assignment guard — never bind raw request bodies to ORM models. Use explicit DTOs.

# IDOR + header bypass smoke test
curl -i https://target.tld/api/v1/users/2024 \
  -H "Authorization: Bearer $VICTIM_JWT" \
  -H "X-Original-URL: /admin/users/2024"

# JWT alg=none downgrade
header='{"alg":"none","typ":"JWT"}'
payload='{"sub":"victim","role":"admin","exp":9999999999}'
token="$(echo -n "$header" | base64 -w0).$(echo -n "$payload" | base64 -w0)."
curl -H "Authorization: Bearer $token" https://target.tld/api/v1/me

A02:2026 — Cryptographic Failures

TLS 1.0/1.1 deprecation is finally mandatory. Static analysis must flag use of MD5/SHA-1, hard-coded keys, ECB mode, and PRNGs derived from Math.random(). The 2026 list adds explicit requirements for post-quantum readiness — track NIST FIPS 203 (ML-KEM) adoption for any key-exchange you control. Hybrid X25519+ML-KEM-768 is shipping in OpenSSL 3.5 and the major cloud KMS providers.

• Enforce HSTS with max-age=63072000; includeSubDomains; preload. Submit the apex to hstspreload.org.
• Rotate KMS keys quarterly. Audit IAM policies to deny kms:Decrypt wildcards across keys you do not own.
• Replace bcrypt cost < 12 with Argon2id (m=64MiB, t=3, p=4) for new password hashes.
• Disable TLS session ticket reuse beyond 24h; encrypt at rest with envelope-encrypted DEKs, not bare KEKs.
• Store secrets in Vault / AWS Secrets Manager / GCP Secret Manager — never in .env committed to git.

# testssl.sh — fast TLS posture check
testssl.sh --severity HIGH --color 0 https://target.tld:443

# Nuclei misconfiguration sweep
nuclei -u https://target.tld -t http/ssl/ -severity high,critical

A03:2026 — Injection

SQLi is no longer the top-flavour — server-side template injection (SSTI), NoSQL injection, and LDAP injection now dominate the bug-bounty triage queue, alongside command injection in container entrypoints. Map your test cases to the VAPT engagement scope so each ORM, template engine, and parser ships with an injection regression test. A parameterised query is not a defence in depth — combine prepared statements with strict input typing, allow-list validation, and output encoding.

# SSTI smoke test for Jinja2 / Twig / Velocity
{{7*7}}
{{ ''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read() }}

# NoSQL operator injection (MongoDB, Mongoose)
{"username":{"$ne":null},"password":{"$ne":null}}

# LDAP injection
*)(uid=*))(|(uid=*

# Command injection in OS layer
$(id)  ;id;  `id`  |id|  ${IFS}id

# CRLF -> log injection -> SIEM poisoning
GET /search?q=foo%0d%0a[FAKE]%20user=admin%20auth=success HTTP/1.1

For ORMs, your CI must fail any commit that uses string concatenation with user input near a raw() / execute() escape hatch. Semgrep and CodeQL both ship rules for this in every major language; ratchet false positives down to zero before you turn on blocking mode.

A04:2026 — Insecure Design

Threat-model every new feature before code review. The 2026 update calls out missing rate limits on password reset, missing anti-automation on signup, predictable token generation, and business-logic flaws (e.g. negative-quantity orders that produce credits) as designdefects, not implementation bugs. Treat them as P1 in backlog grooming. STRIDE, LINDDUN, or simply "what does the abuser do?" framing in design review catches the majority before any code ships.

• Per-IP and per-account rate limit on every credential, OTP, or money-movement endpoint. Token bucket beats fixed window.
• Token entropy: at least 128 bits, generated by a CSPRNG (crypto.randomBytes, secrets.token_urlsafe, SecureRandom).
• Idempotency keys on all POST mutations. Without them, retries become double-spends.
• Anti-automation on signup: progressive friction (CAPTCHA on suspicious ASN, SMS verification on disposable email TLD).

A05:2026 — Security Misconfiguration

Default credentials, verbose error pages, exposed .git directories, open S3 buckets, and unauthenticated /actuator endpoints still account for nearly 20% of public-facing breaches. CISA tracks these as Known Exploited Vulnerabilitieswith patch deadlines for federal agencies. Use Nuclei templates from the exposures/ and misconfiguration/ families to sweep continuously, not just at QA time.

nuclei -u https://target.tld \
  -t http/exposures/ \
  -t http/misconfiguration/ \
  -t http/cves/ \
  -severity high,critical -o misconfig.txt

# Headers baseline (missing = finding)
curl -sI https://target.tld | grep -iE \
  'strict-transport-security|content-security-policy|x-content-type-options|referrer-policy|permissions-policy'

A06:2026 — Vulnerable & Outdated Components

SBOM is no longer optional. Generate CycloneDX or SPDX from every build, ingest into a vulnerability database keyed on PURL, and break the build on any CVSS ≥ 8.0 with a known exploit (CISA KEV is the authoritative list). Pin transitive deps via lockfiles; verify lockfile integrity in CI; use npm ci --audit-level=high, pip-audit, go list -m -u all, mvn dependency-check:check as appropriate.

A07:2026 — Identification & Authentication Failures

Phishing-resistant MFA (FIDO2/WebAuthn) is the 2026 baseline. SMS OTP and TOTP are downgraded to transitional controls — they remain acceptable for low-risk personas but do not satisfy AAL2 under NIST SP 800-63B-4for any account that touches money, PII, or admin functions. Block credential stuffing with device fingerprinting + Have-I-Been-Pwned k-anonymity lookups on registration and password change.

• Lockout on 10 failed attempts within 15 minutes; lockout escalates by IP + by account.
• Session cookies: HttpOnly, Secure, SameSite=Lax, rotate on privilege change.
• Magic-link emails expire in < 10 minutes and one-time-use.
• OAuth state parameter mandatory; PKCE on every public client.

A08:2026 — Software & Data Integrity Failures

Sigstore-sign every container. Verify signatures in admission controllers (Kyverno, OPA Gatekeeper). Forbid imagePullPolicy: Always without digest pinning. Audit GitHub Actions for unpinned third-party actions — pin to commit SHA, not @v1. The 2024 tj-actions/changed-filessupply chain attack (CVE-2025-30066) compromised thousands of CI pipelines via a single mutable tag.

# Pin GitHub Actions by SHA, not tag
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

# Cosign verify in CI before deploy
cosign verify \
  --certificate-identity-regexp '^https://github.com/myorg/' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/myorg/api@sha256:abc...

A09:2026 — Security Logging & Monitoring Failures

Ship structured logs (JSON) with correlation IDs across every microservice. Stream to a SIEM with Sigma rules covering OWASP A01-A10. Detection-as-code beats screenshots in audit. Mean-time-to-detect (MTTD) is the metric your CISO should be tracking quarterly — anything north of 24 hours for a high-severity event indicates the SOC playbooks don't map to actual telemetry.

• Log every authentication event (success, failure, MFA challenge), every authorisation denial, every privileged action.
• Never log secrets or full credit card PANs. PII redaction must be at the producer, not the SIEM.
• Centralise logs to a write-once, time-tamper-evident store (CloudWatch Logs Immutable, GCP Logging with retention lock).
• Alert on the absence of expected log streams — silent SOC is a compromised SOC.

A10:2026 — Server-Side Request Forgery (SSRF)

Cloud metadata endpoints (IMDSv1, GCP 169.254.169.254, Azure 169.254.169.254/metadata/) remain prime SSRF targets. The 2019 Capital One breach, which cost a USD 80M OCC penalty, was a textbook IMDSv1 SSRF. Enforce IMDSv2 on AWS, block egress to RFC1918 and link-local from app subnets, and validate URLs after DNS resolution to defeat DNS rebinding.

# Common SSRF probe payloads
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://[::ffff:a9fe:a9fe]/latest/meta-data/
http://metadata.google.internal/computeMetadata/v1/?alt=json -H "Metadata-Flavor: Google"
http://169.254.169.254/metadata/instance?api-version=2021-02-01 -H "Metadata: true"

# DNS rebinding bait
http://7f000001.rbndr.us/   # resolves to 127.0.0.1 sporadically
http://nip.io style hosts

# Gopher / dict / file SSRF (server-side fetcher with broad URL parser)
gopher://internal-redis:6379/_FLUSHALL
file:///etc/passwd

Defence: use a URL fetch library that re-resolves DNS post-validation, blocks all RFC1918 / link-local / loopback / multicast ranges by default, and forces an outbound proxy that itself denies metadata ranges. requests + requests-toolbelt in Python, safe-fetchin Node, and Go's net/http with a custom Transport.DialContext all support this pattern.

Mapping the Top 10 to your audit framework

What this means for your team

Stand up a single internal page that lists each of A01-A10, the test that proves it's covered, the owning team, and the last green build. Wire the Nuclei sweep, your Semgrep rules, and your integration tests so the page rebuilds on every merge. If a category is red for more than seven days, the on-call lead owns it. That is the OWASP Top 10 implemented as an SLO, not as a slide deck — and it is the only version that survives an actual audit cycle.

Further reading

• OWASP LLM Top 10 Explained — the AI-application companion to this list.
• Nuclei Templates Explained — automate the per-category sweeps referenced above.
• API Pentest Methodology — where A01, A03, and A10 most often bite.
• CVSS 3.1 vs 4.0 — how to score the findings these checks surface.