What OWASP Top 10 categories do most scanners miss?

Most automated scanners have weak coverage for A04 (Insecure Design), A05 (Security Misconfiguration beyond defaults), A08 (Software and Data Integrity Failures), and A10 (Server-Side Request Forgery). These categories require context-aware testing that goes beyond signature matching.

Why is TLS misconfiguration still so common in 2026?

TLS misconfigurations persist because teams configure TLS once at deployment and rarely audit it again. Certificate rotation, cipher suite updates, and HSTS enforcement require ongoing attention. Many organizations still support TLS 1.0/1.1 for legacy client compatibility.

How do SQL injection attacks bypass WAFs in 2026?

Modern SQLi bypass techniques include encoding tricks (double URL encoding, Unicode normalization), comment injection to break WAF pattern matching, and boolean-based blind injection that produces no error output. WAFs that rely on signature matching miss these variants.

What should security teams prioritize scanning for this week?

This week: audit TLS configurations for expired certificates and weak cipher suites, test injection points for SQLi (especially boolean-based blind), review API gateway CORS policies, and check Next.js applications for exposed debug endpoints and source maps.

How often should organizations run OWASP Top 10 scans?

Continuous scanning is ideal. At minimum, run full OWASP Top 10 scans after every deployment, weekly for production environments, and immediately after any dependency update. Injection testing (A03) and misconfiguration checks (A05) should run on every CI/CD pipeline.

Security Roundup March 31 – April 6, 2026: OWASP Top 10 Scanner Coverage, TLS Misconfigs at Scale & SQLi Still Everywhere

Published: April 7, 2026 • Reading time: 12 minutes • 🚨 WEEKLY ROUNDUP

📢 Affiliate Disclosure: This site contains affiliate links to Amazon. We earn a commission when you purchase through our links at no additional cost to you.

This week we're stepping back from individual CVEs to look at the bigger picture: how well do your security scanners actually cover the OWASP Top 10? The answer, for most teams, is worse than they think.

A gap analysis of major scanning platforms reveals that most automated tools cover A01 (Broken Access Control), A02 (Cryptographic Failures), and A03 (Injection) reasonably well — but drop off sharply for A04 through A10. Meanwhile, TLS misconfigurations continue to plague production environments at scale, SQL injection bypass techniques are evolving faster than WAF signatures, and the explosion of Next.js and API gateway deployments has created new attack surface that traditional scanners don't touch.

We also look at what's changed in the scanning landscape this week: new detection capabilities for CORS misconfigurations, authenticated portal testing, webmail CVE fingerprinting, TLS auditing, and SQL injection probing — all areas where the gap between "what scanners check" and "what attackers exploit" has been narrowing.

Five themes this week — here's what matters for security teams and bug hunters.

1. The OWASP Top 10 Scanner Coverage Gap

Ask any security team if they scan for the OWASP Top 10 and the answer is almost always yes. Ask them which specific categories their scanner covers and the confidence drops fast.

The reality: most automated scanners provide strong coverage for three categories and partial-to-no coverage for the remaining seven.

OWASP Category	Typical Scanner Coverage	Why It's Hard to Automate
A01: Broken Access Control	🟡 Partial	Requires authenticated sessions and role context
A02: Cryptographic Failures	🟢 Good	TLS/cert checks are well-understood; data-at-rest is harder
A03: Injection (SQLi, XSS)	🟢 Good	Mature detection; blind variants still missed
A04: Insecure Design	🔴 Poor	Design flaws require business logic understanding
A05: Security Misconfiguration	🟡 Partial	Default checks exist; custom configs need context
A06: Vulnerable Components	🟢 Good	SCA tools handle this well; runtime detection is harder
A07: Auth Failures	🟡 Partial	Credential stuffing detection exists; session management gaps are harder
A08: Software Integrity Failures	🔴 Poor	Supply chain and CI/CD integrity require pipeline access
A09: Logging Failures	🔴 Poor	Can't test logging from outside the application
A10: SSRF	🟡 Partial	Requires out-of-band callbacks or response analysis

The takeaway: if your security program relies solely on automated scanning, you likely have blind spots in at least four OWASP categories. The fix isn't to abandon automation — it's to understand what your scanner covers and supplement with manual testing or specialized tools for the gaps.

What to Do About It

Map your scanner's coverage against each OWASP category explicitly. Most vendors don't publish this mapping clearly.
Layer specialized tools for weak categories: SCA for A06, SAST for A04/A08, and manual pen testing for A01/A04.
Prioritize A03 and A10 for automated testing — injection and SSRF are the categories where automation has the highest ROI and attackers are most active.

2. TLS Misconfigurations: Still the #1 Cryptographic Failure

OWASP A02 (Cryptographic Failures) sounds abstract until you realize the most common manifestation is straightforward: bad TLS configuration. And it's everywhere.

The pattern repeats across organizations of every size: TLS is configured once during initial deployment, then never audited again. Certificates expire. Cipher suites that were acceptable in 2022 are now deprecated. HSTS headers are missing or misconfigured. And because "the site loads fine over HTTPS," nobody notices.

The Five TLS Checks Every Scanner Should Run

Protocol version — TLS 1.0 and 1.1 are deprecated (RFC 8996). Only TLS 1.2+ should be accepted. TLS 1.3 is preferred.
Cipher suite strength — RC4, DES, 3DES, and export-grade ciphers must be disabled. Look for suites with forward secrecy (ECDHE/DHE).
Certificate validity — Check expiration date, chain completeness, and whether the cert matches the hostname. Wildcard certs covering too many services are a risk.
HSTS enforcement — The Strict-Transport-Security header should be present with max-age of at least 31536000 (1 year). includeSubDomains and preload are recommended.
Certificate transparency — Verify the certificate appears in CT logs. Certificates not logged in CT are increasingly flagged by browsers.

If your scanner doesn't check all five, you have a gap. Our TLS auditing deep dive covers each check in detail with remediation steps.

3. SQL Injection in 2026: WAF Bypass Patterns That Still Work

SQL injection is 26 years old and still the most exploited injection flaw in web applications. OWASP ranks it A03. Every major breach database includes SQLi as a root cause. And yet, it persists — not because we don't know how to prevent it, but because the attack surface keeps expanding and bypass techniques keep evolving.

Why WAFs Aren't Enough

Web Application Firewalls catch the obvious patterns: OR 1=1, UNION SELECT, DROP TABLE. But modern SQLi bypass techniques exploit the gap between what the WAF parses and what the database executes:

Double URL encoding — %2527 decodes to %27 at the WAF layer, then to ' at the application layer. The WAF sees a harmless encoded string; the database sees a quote.
Comment injection — SEL/**/ECT breaks WAF keyword matching but executes normally on MySQL. Each database has different comment syntax that can be exploited.
Boolean-based blind injection — No error output, no UNION results. The attacker infers data by comparing response lengths: AND 1=1 (normal response) vs AND 1=2 (different response). WAFs that look for error strings miss this entirely.
Database-specific syntax — PostgreSQL's $$ string quoting, MySQL's backtick identifiers, MSSQL's EXEC vs EXECUTE — each database accepts syntax the others don't, and WAF rules rarely cover all variants.

The fix is defense in depth: parameterized queries at the code level (not WAF-level filtering), least-privilege database accounts, and scanners that test for blind injection variants — not just error-based. Our SQLi detection guide covers what a thorough scanner should check.

4. Next.js, API Gateways & the New Attack Surface

The web stack has shifted. Next.js is now the default React framework. API gateways sit in front of every microservice. And both introduce attack surface that traditional web scanners weren't built to test.

Next.js Reconnaissance Targets

Next.js applications expose predictable endpoints that reveal application structure:

/_next/data/ — Server-side props data, often containing internal API responses
/_next/static/ — Build manifests that reveal every route in the application
/api/ — API routes that may lack the same auth middleware as page routes
Source maps in development builds that expose the full source code

Most vulnerability scanners don't check these paths. A Next.js-aware recon tool should enumerate routes from the build manifest, check for exposed source maps, and test API routes independently from page routes.

API Gateway CORS Misconfigurations

API gateways (AWS API Gateway, Kong, Nginx) frequently have CORS policies that are too permissive:

Access-Control-Allow-Origin: * on authenticated endpoints — allows any origin to make credentialed requests
Reflecting the Origin header back without validation — effectively the same as wildcard but harder to detect in config review
Missing Access-Control-Allow-Credentials: true check — the gateway allows cross-origin requests but the developer assumes CORS blocks them

These misconfigurations are especially dangerous when the API gateway sits in front of internal services. A CORS tester that sends requests with various Origin headers and checks the response policy is essential. See our SecurityClaw new skills roundup for how automated CORS testing works in practice.

5. Scanner Landscape: What Changed This Week

The gap between "what scanners check" and "what attackers exploit" narrowed this week with several new detection capabilities shipping across the ecosystem:

Capability	OWASP Category	What It Detects
API Gateway CORS Testing	A05 (Misconfiguration)	Wildcard origins, reflected origins, missing credential checks
Next.js Reconnaissance	A05 (Misconfiguration)	Exposed build manifests, source maps, unprotected API routes
Webmail CVE Fingerprinting	A06 (Vulnerable Components)	Roundcube, Zimbra, Horde version detection against known CVEs
TLS Configuration Auditing	A02 (Cryptographic Failures)	Weak ciphers, expired certs, missing HSTS, deprecated protocols
SQL Injection Probing	A03 (Injection)	Error-based (4 DB signatures) + boolean-based blind detection
Authenticated Portal Testing	A07 (Auth Failures)	Default credentials, login bypass, session management flaws

The trend is clear: scanners are moving from generic vulnerability signatures toward OWASP-category-specific detection modules. This is the right direction — but it means security teams need to actively track which categories their toolchain covers and update their scanning configuration as new capabilities ship.

6. Action Items for Security Teams

This Week's Priority Checklist

Audit your TLS configuration — Run a TLS scan against all production endpoints. Check for expired certificates, weak cipher suites, and missing HSTS headers. Fix anything supporting TLS < 1.2.
Test for blind SQL injection — Error-based SQLi is easy to catch. Boolean-based blind injection is not. Run injection tests that compare response lengths, not just error strings.
Check your CORS policies — If you run API gateways, verify that Access-Control-Allow-Origin is not set to * on any authenticated endpoint. Test with unexpected Origin headers.
Scan Next.js applications — If you deploy Next.js, check for exposed /_next/data/ endpoints, build manifests, and source maps in production. These are information disclosure risks.
Map your OWASP coverage — Document which OWASP Top 10 categories your current scanner covers. Identify the gaps. Plan manual testing or specialized tools for uncovered categories.

7. Essential Tools & Resources

Scanning & Testing

OWASP ZAP — Free, open-source web app scanner. Strong A03 coverage. See our ZAP vs Burp comparison.
Nuclei — Template-based scanner with community-contributed detection rules. See our Nuclei comparison.
testssl.sh — Command-line TLS testing tool. Checks protocols, ciphers, certificates, and headers.
sqlmap — Automated SQL injection detection and exploitation. Supports blind, error-based, and time-based techniques.

References

OWASP Top 10 (2021) — The definitive web application security risk list
OWASP Cheat Sheet Series — Practical remediation guidance for each category
CISA KEV Catalog — Known exploited vulnerabilities requiring immediate attention

Bottom Line

The OWASP Top 10 hasn't changed since 2021, but the attack surface has. Next.js, API gateways, and cloud-native architectures introduce risks that the 2021 list anticipated but most scanners still don't cover well. The gap is closing — new detection capabilities for CORS, TLS, SQLi, and framework-specific recon shipped this week — but security teams need to actively manage their coverage map rather than assuming "we scan for OWASP" means "we're covered."

Next week: we'll cover SSRF detection techniques and how cloud metadata endpoints remain the most exploited SSRF target in 2026.