OWASP Top 10 2021 Reference

The OWASP Top 10 2021 edition remains the most widely referenced version in active compliance programs, audit frameworks, and regulatory standards. This page provides a complete reference for each 2021 category, including what ByteHide Radar detects and how each category maps to the updated 2025 edition. Use this page if your organization's compliance requirements such as PCI DSS, SOC 2, or ISO 27001, still reference the 2021 standard.

2021 to 2025 Mapping

The following table shows how every OWASP Top 10 2021 category maps to its 2025 counterpart. Two new categories were introduced in 2025 (Software Supply Chain Failures and Mishandling of Exceptional Conditions), while SSRF was absorbed into Broken Access Control.

2021 ID2021 Category2025 ID2025 CategoryNotes
A01:2021Broken Access ControlA01:2025Broken Access ControlSSRF merged in
A02:2021Cryptographic FailuresA04:2025Cryptographic FailuresMoved to #4
A03:2021InjectionA05:2025InjectionMoved to #5
A04:2021Insecure DesignA06:2025Insecure DesignMoved to #6
A05:2021Security MisconfigurationA02:2025Security MisconfigurationMoved to #2
A06:2021Vulnerable and Outdated ComponentsA03:2025Software Supply Chain FailuresExpanded scope, renamed
A07:2021Identification and Authentication FailuresA07:2025Authentication FailuresRenamed
A08:2021Software and Data Integrity FailuresA08:2025Software or Data Integrity FailuresMinor rename
A09:2021Security Logging and Monitoring FailuresA09:2025Security Logging and Alerting FailuresRenamed
A10:2021Server-Side Request Forgery (SSRF)A01:2025Broken Access ControlMerged into A01

A01:2021 Broken Access Control

Broken access control was found in 94% of applications tested, making it the most prevalent vulnerability category. It covers failures in enforcing policies so that users cannot act outside their intended permissions, including missing authorization checks, insecure direct object references, CORS misconfigurations, forced browsing, privilege escalation, and cross-site request forgery.

What Radar Detects

  • Missing authorization checks on controllers and API endpoints
  • Insecure Direct Object References (IDOR) where user-supplied IDs are passed to data lookups without ownership verification
  • Overly permissive CORS configurations allowing credentialed cross-origin requests
  • Forced browsing to unprotected administrative or sensitive resources
  • Privilege escalation paths where standard users can reach administrative functionality
  • Cross-Site Request Forgery (CSRF) on state-changing operations lacking anti-forgery tokens
  • Missing function-level access control on role-restricted endpoints

CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-639 (Authorization Bypass Through User-Controlled Key), CWE-352 (Cross-Site Request Forgery).

See the 2025 equivalent: A01:2025 Broken Access Control.

A02:2021 Cryptographic Failures

Previously known as "Sensitive Data Exposure" in the 2017 edition, this category was refocused on failures related to cryptography that often lead to data exposure or system compromise. It covers the use of weak or broken cryptographic algorithms, hardcoded secrets, missing transport-layer security, and insecure random number generation.

What Radar Detects

  • Weak hashing algorithms (MD5, SHA1) used for passwords or integrity checks
  • Insecure encryption algorithms (DES, 3DES, RC4) and insecure block cipher modes (ECB)
  • Hardcoded cryptographic keys and secrets embedded in source code
  • Missing TLS enforcement on sensitive data transmission
  • Insecure random number generators used in security-sensitive contexts
  • Cleartext storage or transmission of sensitive data
  • Weak key derivation functions (KDFs) that fail to use sufficient iterations or salt

CWE-327 (Use of a Broken or Risky Cryptographic Algorithm), CWE-330 (Use of Insufficiently Random Values), CWE-798 (Use of Hard-coded Credentials), CWE-311 (Missing Encryption of Sensitive Data).

See the 2025 equivalent: A04:2025 Cryptographic Failures.

A03:2021 Injection

Injection held the number-one position in the 2017 edition and moved to third in 2021, with Cross-Site Scripting (XSS) merged into this category. Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query, allowing attackers to execute unintended commands or access unauthorized data.

What Radar Detects

  • SQL injection through string concatenation in queries
  • Parameterized query bypass and improper use of query parameters
  • ORM raw query injection where user input flows into raw SQL methods
  • OS command injection via unsanitized input in shell commands
  • LDAP injection in directory service queries
  • XPath injection in XML document queries
  • Server-side template injection (SSTI) in template engines
  • Cross-Site Scripting (XSS), reflected, stored, and DOM-based variants

CWE-89 (SQL Injection), CWE-78 (OS Command Injection), CWE-79 (Cross-Site Scripting), CWE-90 (LDAP Injection), CWE-917 (Expression Language Injection), CWE-943 (Improper Neutralization of Special Elements in Data Query Logic).

See the 2025 equivalent: A05:2025 Injection.

A04:2021 Insecure Design

Introduced as a new category in 2021, Insecure Design focuses on risks related to design and architectural flaws rather than implementation bugs. A secure implementation of an insecure design cannot fix the underlying problem. This category calls for greater use of threat modeling, secure design patterns, and reference architectures.

What Radar Detects

  • Missing rate limiting on authentication and sensitive business operations
  • Absent trust boundary validation between application tiers
  • Insecure business logic patterns that can be exploited through normal application flow
  • Missing account lockout mechanisms after repeated failed authentication attempts
  • Overly detailed error messages that reveal internal architecture information
  • Insufficient input validation at design boundaries

CWE-209 (Generation of Error Message Containing Sensitive Information), CWE-256 (Plaintext Storage of a Password), CWE-501 (Trust Boundary Violation).

See the 2025 equivalent: A06:2025 Insecure Design.

A05:2021 Security Misconfiguration

Security misconfiguration covers overly permissive defaults, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. This category also absorbed XML External Entities (XXE) from the 2017 edition.

What Radar Detects

  • Debug mode and development settings left enabled in production deployments
  • Verbose error messages that expose stack traces, database details, or internal paths
  • Insecure default configurations that have not been hardened
  • Unnecessary features, ports, or services enabled in production
  • Missing security headers (Content-Security-Policy, X-Frame-Options, Strict-Transport-Security)
  • XML External Entity (XXE) processing enabled in XML parsers
  • Permissive file upload configurations without proper validation

CWE-611 (Improper Restriction of XML External Entity Reference), CWE-16 (Configuration), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

See the 2025 equivalent: A02:2025 Security Misconfiguration.

A06:2021 Vulnerable and Outdated Components

This category addresses risks from using components (libraries, frameworks, and other software modules) with known vulnerabilities. While Radar's SAST engine focuses on first-party code analysis, it detects patterns where known-vulnerable APIs or deprecated security functions are used directly in source code.

What Radar Detects

  • Usage of known-vulnerable API patterns from popular libraries
  • Calls to deprecated security functions that have known weaknesses
  • Insecure default configurations in third-party library initialization
  • Usage of library features documented as unsafe or security-sensitive
  • Missing version pinning in dependency declarations

SCA for Dependency Scanning

For full dependency vulnerability scanning (matching installed packages against CVE databases), use ByteHide Radar's SCA (Software Composition Analysis) capabilities alongside SAST. SAST detects vulnerable code patterns; SCA detects vulnerable package versions.

CWE-1104 (Use of Unmaintained Third Party Components).

See the 2025 equivalent: A03:2025 Software Supply Chain Failures.

A07:2021 Identification and Authentication Failures

Previously named "Broken Authentication" and ranked number two in the 2017 edition, this category covers weaknesses in authentication mechanisms. Confirmation of the user's identity, authentication, and session management is critical to protecting against authentication-related attacks.

What Radar Detects

  • Hardcoded credentials (usernames, passwords, API keys) embedded in source code
  • Weak password validation rules that permit easily guessable passwords
  • Session fixation vulnerabilities where session tokens are not rotated after authentication
  • Missing brute force protection on login and authentication endpoints
  • Insecure password storage using weak or unsalted hashing algorithms
  • Credentials transmitted or stored in URLs and query parameters
  • Missing multi-factor authentication enforcement on sensitive operations

CWE-798 (Use of Hard-coded Credentials), CWE-287 (Improper Authentication), CWE-384 (Session Fixation).

See the 2025 equivalent: A07:2025 Authentication Failures.

A08:2021 Software and Data Integrity Failures

New in 2021, this category absorbed "Insecure Deserialization" from the 2017 Top 10 (A08:2017). It focuses on code and infrastructure that does not protect against integrity violations. Assumptions made about software updates, critical data, and CI/CD pipelines without verifying integrity.

What Radar Detects

  • Insecure deserialization patterns in C#, Python, Java, PHP, and Ruby
  • Prototype pollution in JavaScript and TypeScript applications
  • Unsigned code or resources loaded from external CDNs without integrity verification (missing Subresource Integrity)
  • Unsafe use of eval(), pickle.loads(), ObjectInputStream, unserialize(), or equivalent deserialization sinks
  • Missing integrity checks on serialized data from untrusted sources

CWE-502 (Deserialization of Untrusted Data), CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes).

See the 2025 equivalent: A08:2025 Software or Data Integrity Failures.

A09:2021 Security Logging and Monitoring Failures

Ranked tenth in the 2017 edition and moved up to ninth in 2021, this category covers insufficient logging, detection, monitoring, and active response. Without proper logging and monitoring, breaches cannot be detected, and incident response is severely impaired.

What Radar Detects

  • Sensitive data written to log files (passwords, tokens, PII, credit card numbers)
  • Missing error handling that silently swallows exceptions without logging
  • Swallowed exceptions in catch blocks with empty bodies or no-op handlers
  • Credentials and secrets included in log output or error messages
  • Logging configurations that write to insecure destinations
  • Missing audit trail logging for security-critical operations

CWE-778 (Insufficient Logging), CWE-223 (Omission of Security-relevant Information).

See the 2025 equivalent: A09:2025 Security Logging and Alerting Failures.

A10:2021 Server-Side Request Forgery (SSRF)

SSRF was introduced as a new standalone category in the 2021 edition. In the 2025 update, it was merged into A01:2025 (Broken Access Control), reflecting that SSRF is fundamentally an access control failure where the server makes requests on behalf of an attacker. SSRF flaws occur whenever a web application fetches a remote resource without validating the user-supplied URL.

What Radar Detects

  • Unvalidated URL parameters passed to server-side HTTP request functions
  • Internal endpoint access through user-controlled URLs targeting private IP ranges
  • Cloud metadata endpoint access via requests to 169.254.169.254 and equivalent cloud provider metadata services
  • DNS rebinding patterns that bypass URL validation
  • URL scheme exploitation using file://, gopher://, dict://, and other non-HTTP protocols
  • Missing allowlist validation on outbound request destinations

CWE-918 (Server-Side Request Forgery).

See the 2025 equivalent: A01:2025 Broken Access Control.

Compliance Frameworks and the 2021 Edition

Many compliance frameworks and regulatory standards reference the OWASP Top 10 either directly or as a recommended benchmark. Understanding which edition your compliance program requires ensures accurate mapping of Radar findings to audit evidence.

FrameworkOWASP ReferenceNotes
PCI DSS v4.0References OWASP Top 10 directlyRequirement 6.2.4 requires addressing common software attacks including those in the OWASP Top 10. Most current audit cycles accept either 2021 or 2025
SOC 2Indirect referenceSecurity criteria (CC6, CC7) align with OWASP categories. Auditors commonly accept OWASP-based vulnerability classification
ISO 27001:2022Indirect referenceAnnex A controls (A.8.25 through A.8.28) on secure development align with OWASP vulnerability categories
NIST SP 800-53Indirect referenceSI (System and Information Integrity) controls map to several OWASP categories
HIPAAIndirect referenceTechnical safeguards for ePHI map to access control and cryptographic failure categories
FedRAMPReferences OWASP Top 10Application security testing requirements reference the OWASP Top 10 as a baseline

Transitioning to 2025

If your compliance program currently references the 2021 edition, you can use the mapping table at the top of this page to translate between editions. Radar tags findings with both 2021 and 2025 OWASP categories, so you can filter by either standard when generating compliance reports.

Next Steps

OWASP Top 10 Overview

All OWASP standards mapped by Radar.

CWE Reference

CWE identifiers used to classify findings.

View SAST Findings

Navigate and filter the SAST findings table.

Previous
LLM10 - Unbounded Consumption
Next
Overview