OWASP Top 10 2025 IAAA Failures

Definition

IAAA is a simple way to think about how users and their actions are verified on applications. Each item plays a crucial role and it isn’t possible to skip a level. That means, if a previous item isn’t being performed, you cannot perform the later times. The four items are:

• Identity - the unique account (e.g., user ID/email) that represents a person or service.
• Authentication - proving that identity (passwords, OTP, passkeys).
• Authorisation - what that identity is allowed to do.
• Accountability - recording and alerting on who did what, when, and from where.

A01: Broken Access

Broken Access Control happens when the server doesn’t properly enforce who can access what on every request. A common occurence of this is IDOR (Insecure Direct Object Reference): if changing an ID (like ?id=7 → ?id=6) lets you see or edit someone else’s data, access control is broken.

In practice this shows up as horizontal privilege escalation (same role, other user’s stuff) or vertical privilege escalation (jumping to admin-only actions) because the application trusts the client too much.

A07: Authentication Failures

Authentication Failures happen when an application can’t reliably verify or bind a user’s identity. Common issues include:

• username enumeration
• weak/guessable passwords (no lockout/rate limits)
• logic flaws in the login/registration flow
• insecure session or cookie handling

If any of these are present, an attacker can often log in as someone else or bind a session to the wrong account.

A09: Logging & Alerting Failures

When applications don’t record or alert on security-relevant events, defenders can’t detect or investigate attacks. Good logging underpins accountability (being able to prove who did what, when, and from where). In practice, failures look like missing authentication events, vague error logs, no alerting on brute-force or privilege changes, short retention, or logs stored where attackers can tamper with them.