Taiab's Blog

The OWASP Top 10 Through a QA Engineer's Eyes

Md. Taiab

Md. Taiab

2025-01-28 ยท 2 mins read


Security testing sounds like a separate discipline, but most of the OWASP Top 10 maps cleanly onto test cases a QA engineer already knows how to write. Here's the reframe.

A01: Broken Access Control

The single most common real-world issue. As QA, you test it by changing roles and IDs:

  • Log in as a normal user, call an admin endpoint directly.
  • Change a resource ID in the URL to one you don't own.
  • Remove the auth token entirely and retry.

If a standard user reaches admin data, that's broken access control โ€” and it's just a negative test case.

A03: Injection

You already test invalid input. Add the security payloads:

SQL:  ' OR '1'='1
XSS:  

Drop them in every field and URL parameter. If the SQL one logs you in or the XSS one pops an alert, you've found injection.

A02: Cryptographic Failures

Check the boring basics:

|-------|-----|
CheckHow
HTTPS everywhereWatch for http:// requests in DevTools
Passwords not in responsesInspect the network tab after login
Tokens not in the URLURLs get logged and shared

A05: Security Misconfiguration

  • Default credentials still working (admin/admin)
  • Detailed stack traces shown to users
  • Directory listing enabled
  • Debug endpoints reachable in production

A07: Identification & Authentication Failures

Test the auth flow like an attacker:

  • Does login lock out after many failed attempts?
  • Can you reuse a password reset link twice?
  • Does the session expire, and does logout actually invalidate it server-side?

The Point

You don't need a new title to test these. Every item above is a negative test case with a security flavor. Adding them to your existing test design catches the bugs that hurt most โ€” and makes you the tester developers actually want on a release.

Md. Taiab

Written by Md. Taiab

Follow

Md. Taiab is a Software QA Engineer and security enthusiast based in Dhaka, Bangladesh. He interned as a QA Engineer at Battery Low Interactive Ltd. and competes in CTFs and programming contests โ€” ranked Top 3% globally on TryHackMe and Champion of GUB Junior IDPC 2023.

Comments disabled โ€” add your CommentBox.io project ID to .env.local as NEXT_PUBLIC_COMMENTBOX_ID