The thing that I find difficult with OWASP: there doesn't always seem to be comprehensive examples provided for what these attack surfaces could be used for. That makes it difficult to both understand the impact of a particular issue, and test for it.
As an example: https://cheatsheetseries.owasp.org/cheatsheets/AJAX_Security...
I'm fascinated to know how this could actually be exploited. But there's no hint or reference to that. It's just "don't do this".
I'm a product security engineer. I reference these all of the time during my own work to make sure I didn't miss something stupid, but I also hand links out to them to engineers when we do find bugs in their code. Most of the time I think they're ignored.
If most engineers just took a second to read the ones that were directly pertinent to their projects and tried to be cognisant of some mitigations, I'd find substantially less low-hanging-fruit vulnerabilities in the first review pass. Doing so actually makes my job significantly more difficult, and forces me to dig deeper - which is a good thing. Instead of writing up for the 100th time some input validation spiel, I can spend time searching for more complex bugs, writing protocol fuzzers, and doing real analysis in the time I have for the review.