Report writing

OWASP Top 10 (2021) Explained for Report Writers

How to classify findings, write better descriptions, and route vulnerabilities to the right fix — using the OWASP Top 10 as your taxonomy.

The OWASP Top 10 is the shared vocabulary between security researchers and development teams. When you label a finding "A01:2021 — Broken Access Control" in a pentest or bug bounty report, the client's engineers know which OWASP guidance to consult and which class of fix to implement. This guide explains each 2021 category from a report writer's perspective — what to look for, how to describe it, and which CWEs to reference.

The official list lives at owasp.org/www-project-top-ten. Pair OWASP categories with CVSS scores from our CVSS calculator for complete finding entries, as shown in our vulnerability assessment report example.

Why classification matters in reports

Without a standard category, findings get misrouted. A broken access control issue filed as "security misconfiguration" may land with the infrastructure team instead of the application developers who own the authorization logic. Correct OWASP labeling:

  • Routes the finding to the right engineering team
  • Enables trend analysis across engagements ("40% of findings are A01 this quarter")
  • Aligns with compliance frameworks that reference OWASP (PCI DSS, SOC 2)
  • Gives developers a starting point for remediation via OWASP Cheat Sheets

A01:2021 — Broken Access Control

What it covers: Users acting outside their intended permissions — IDOR, forced browsing, privilege escalation, missing function-level access control, CORS misconfiguration allowing unauthorized data access.

Report writing tip: State which role or user type can access what they should not. "User A (customer) can view User B's order details by changing the order_id parameter" is better than "access control issue found."

Common CWEs: CWE-639 (Authorization Bypass), CWE-284 (Improper Access Control), CWE-862 (Missing Authorization)

A02:2021 — Cryptographic Failures

What it covers: Failures related to cryptography — transmitting sensitive data in cleartext, using deprecated algorithms (MD5, SHA-1, DES), weak TLS configurations, hardcoded encryption keys, insufficient entropy in tokens.

Report writing tip: Name the data at risk and the specific cryptographic failure. "Credit card numbers transmitted over HTTP on the checkout page" not "crypto issue." Reference the algorithm and version where applicable.

Common CWEs: CWE-311 (Missing Encryption), CWE-327 (Broken Crypto Algorithm), CWE-798 (Hard-coded Credentials)

A03:2021 — Injection

What it covers: SQL injection, NoSQL injection, OS command injection, LDAP injection, XSS (stored, reflected, DOM-based), template injection, header injection.

Report writing tip: Specify the injection type and the sink. "SQL injection in the search parameter of /api/products via unsanitized string concatenation" gives developers an exact starting point. Include the payload that triggered the vulnerability.

Common CWEs: CWE-89 (SQL Injection), CWE-79 (XSS), CWE-78 (OS Command Injection)

A04:2021 — Insecure Design

What it covers: Flaws in the threat model and architecture — missing rate limiting on authentication, business logic flaws, lack of input validation by design, trust boundaries that assume client-side controls are sufficient.

Report writing tip: This category requires explaining the design flaw, not just the symptom. "The password reset flow does not invalidate previous reset tokens, allowing an attacker with an old token to reset the password after the user completes a newer reset" describes the design gap.

Common CWEs: CWE-840 (Business Logic Error), CWE-602 (Client-Side Enforcement of Server-Side Security)

A05:2021 — Security Misconfiguration

What it covers: Default credentials, unnecessary features enabled, verbose error messages, missing security headers, open cloud storage buckets, directory listing enabled, outdated software with known CVEs.

Report writing tip: Distinguish misconfiguration from design flaws. A missing Content-Security-Policy header is A05; a fundamentally broken authorization model is A01 or A04. Note the specific configuration item and the secure alternative.

Common CWEs: CWE-16 (Configuration), CWE-1188 (Insecure Default), CWE-200 (Information Exposure)

A06:2021 — Vulnerable and Outdated Components

What it covers: Libraries, frameworks, and dependencies with known vulnerabilities — outdated jQuery, Log4j, Spring Framework, npm packages with published CVEs.

Report writing tip: Include the component name, current version, fixed version, and CVE identifier. "jQuery 1.11.1 (CVE-2020-11022, CVE-2020-11023) — upgrade to 3.5.0+" is actionable. Confirm the vulnerable code path is actually reachable, not just present in a vendor bundle.

Common CWEs: CWE-1035 (Vulnerable Third-Party Component), CWE-1104 (Unmaintained Component)

A07–A10: Authentication, Integrity, Logging, and SSRF

A07 — Identification and Authentication Failures: Weak passwords allowed, credential stuffing possible, session fixation, missing MFA on sensitive actions. Write reports that specify which authentication control failed and the attacker prerequisite.

A08 — Software and Data Integrity Failures: Unsigned updates, insecure CI/CD pipelines, deserialization of untrusted data. Increasingly relevant for supply chain findings.

A09 — Security Logging and Monitoring Failures: Missing audit logs for sensitive actions, logs that do not capture enough context for incident response. Often paired with other findings — note when a successful exploit leaves no forensic trail.

A10 — Server-Side Request Forgery (SSRF): Application fetches attacker-controlled URLs, potentially reaching internal services. Document the internal resource accessed (metadata endpoints, internal APIs) and the impact chain.

Practical mapping tips for report writers

One finding, one primary category. A stored XSS that bypasses access control is primarily A03 (Injection). Mention the access control angle in the impact section, but pick the category that drives the fix.

Include CWE alongside OWASP. OWASP gives the bucket; CWE gives the specific weakness. "A03:2021 — Injection (CWE-89: SQL Injection)" is the gold standard for classification fields.

Reference OWASP remediation guidance. Link to the relevant OWASP Cheat Sheet in your remediation section. Developers trust OWASP-authored fix guidance.

Use OWASP in executive summaries. "8 of 15 findings map to A01 (Broken Access Control), indicating systemic authorization gaps" tells leadership where to invest, not just how many bugs exist.

For full report structure guidance, see how to write a penetration testing report. For bug bounty submissions, OWASP classification helps but impact demonstration matters more — see how to write a bug bounty report.

The bottom line

The OWASP Top 10 (2021) gives report writers a standard taxonomy that developers and compliance auditors recognize. Classify every finding with an OWASP category and CWE, write descriptions that name the specific control failure, and pair categories with CVSS scores for complete entries. Use PoCcraft to generate structured findings and our CVSS calculator for consistent severity ratings.