Security Testing for QA: OWASP and Common Vulnerabilities

Security testing checks for vulnerabilities that could be exploited. As a QA, you do not need to be a penetration tester to contribute: knowing OWASP Top 10 and basic checks (injection, XSS, auth) helps you design tests and spot issues. This post introduces security testing from a QA perspective.

OWASP Top 10 in brief

OWASP Top 10 lists common web application risks. Examples:

• Injection (SQL, etc.): Unsanitized input executed as code; test with malicious input (e.g. ' OR 1=1--).
• Broken authentication: Weak passwords, session handling, or token storage; test login, logout, and session expiry.
• Sensitive data exposure: Data in transit or at rest not encrypted; check HTTPS and storage.
• XSS (Cross-Site Scripting): User input rendered as HTML/script; test with script payloads in inputs.
• Broken access control: Users accessing others' data or admin functions; test authorization (e.g. change ID in URL).

What QA can do

• Positive and negative tests: Valid and invalid inputs; auth and authorization (e.g. access without login, access to other user's resource).
• Input validation: Try injection-like and XSS-like payloads in forms and API parameters; check error handling and encoding.
• Auth flows: Login, logout, session timeout, password reset; invalid or expired tokens.
• Reporting: Log potential issues with steps and evidence; security team or dev can confirm and fix.

Summary

• OWASP Top 10 = common risks (injection, broken auth, XSS, access control, etc.); use it as a checklist.
• QA contributes with negative tests, input validation, auth/authz checks, and clear bug reports.
• Work with security and dev for confirmation and fixes; do not run aggressive pen tests without approval.