Skip to main content
Software Testing – Complete Beginner to Advanced Guide
CHAPTER 12 Intermediate

Security Testing Fundamentals

Updated: May 16, 2026
25 min read

# CHAPTER 12

Security Testing Fundamentals

1. Introduction

A functional bug might annoy a user. A performance bug might slow down a server. A Security Vulnerability will bankrupt the company, destroy customer trust, and result in massive legal fines. While deep Penetration Testing ("Pen-Testing") is often performed by dedicated ethical hackers, fundamental Security Testing is the absolute responsibility of the standard QA Engineering team. If your application accepts user input, it must be validated against basic attack vectors. In this chapter, we will master Security Testing Fundamentals. We will explore the mechanics of common vulnerabilities like SQL Injection and XSS, learn how to rigorously test Authentication systems, and establish a foundational QA security checklist.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Understand the critical role of QA in identifying basic security vulnerabilities.
  • Define and manually test for SQL Injection (SQLi) flaws.
  • Define and manually test for Cross-Site Scripting (XSS) flaws.
  • Execute rigorous Authentication and Authorization testing.
  • Utilize a basic security validation checklist during standard functional testing.

3. Authentication vs. Authorization

These are the two pillars of access control. They are different, and both must be tested.
  • Authentication (Who are you?): Testing the login process. Does the system correctly verify passwords? Are sessions timed out securely?
  • Authorization (What are you allowed to do?): Testing permissions. If User A logs in, can they manually change the URL to /admin/delete_users and successfully execute the action, bypassing the UI? (This is a catastrophic failure known as "Broken Access Control" or IDOR).

4. SQL Injection (SQLi)

The most famous backend vulnerability.
  • The Concept: A developer takes input from a search bar and directly concatenates it into a raw database query.
  • The Attack: A hacker types ' OR '1'='1 into the password field. The database interprets this as a true statement and logs the hacker in without a password.
  • QA Testing: A QA Engineer should always try typing basic SQL characters (like ' or "; DROP TABLE users;) into input fields. If the application crashes with an SQL syntax error, it is highly likely vulnerable to injection. It should fail gracefully with a validation error.

5. Cross-Site Scripting (XSS)

The most common frontend vulnerability.
  • The Concept: A hacker injects malicious JavaScript into a website (e.g., by posting it in a public comment section).
  • The Attack: When a normal user loads the page, the hacker's JavaScript runs in the user's browser, stealing their session cookies and sending them to the hacker.
  • QA Testing: A QA tester enters <script>alert("XSS HACK!")</script> into a comment box or profile name field. If the website literally pops up an alert box when the page reloads, the site is vulnerable. The site must "sanitize" or "escape" the input so it renders as harmless text, not executable code.

6. Security Testing Checklist (The QA Baseline)

A QA team does not need to be cybersecurity experts to catch 80% of basic flaws.
  • [ ] Are passwords masked in the UI?
  • [ ] Does the app enforce a strong password policy?
  • [ ] Does the session expire after 15 minutes of inactivity?
  • [ ] Does the app lock the account after 5 failed login attempts (Brute Force protection)?
  • [ ] Are all API endpoints restricted to authorized users only?
  • [ ] Does the application sanitize all HTML/JavaScript inputs to prevent XSS?

7. Visual Learning: Broken Access Control (IDOR)

txt
12345678910 
[ Normal User Flow ]
1. Logs in as User ID 10.
2. Clicks "My Invoice".
3. Browser requests: GET /api/invoices/10. (Returns Invoice).

[ The QA Security Test (The Attack) ]
1. Still logged in as User ID 10.
2. Manually edits the URL in the browser bar.
3. Browser requests: GET /api/invoices/11. (Trying to see User 11&#039;s invoice).
*Result:* If the API returns User 11&#039;s invoice, the system FAILED the Authorization test. It must return a 403 Forbidden.

8. Best Practices

  • Never Store Secrets in Code: During testing or code reviews, if a QA Engineer sees an AWS API key or database password hardcoded in plain text in a .js or .php file, it is an immediate critical security failure. Secrets must live in environment variables (.env).

9. Common Mistakes

  • Security as an Afterthought: Many teams only think about security the day before launch. They hire a Pen-Tester, who finds 50 critical vulnerabilities, delaying the launch by three months. Security testing must be integrated into the STLC during the daily Sprint cycles.

10. Mini Project: Test for XSS

Scenario: You are testing a new "User Profile" feature. Users can write a short "Bio" about themselves. Test Case Execution:
  1. 1. Navigate to Edit Profile.
  1. 2. In the "Bio" text area, enter the following exact string: Hello! <script>alert("Your site is broken")</script>
  1. 3. Click Save.
  1. 4. Navigate to the public view of the profile.
Expected Result: The text displays exactly as typed. No popup box appears. (The input was sanitized). Actual Result (Bug): A browser alert popup appears. The site is vulnerable to Stored XSS.

11. Practice Exercises

  1. 1. Define the difference between Authentication and Authorization.
  1. 2. Explain how a QA Engineer performs a basic manual test for Cross-Site Scripting (XSS) in an input field.

12. MCQs with Answers

Question 1

A QA tester logs into a banking app as a standard customer. They then manually change the URL in their browser from /account/summary to /admin/dashboard. The server allows them to see the admin dashboard. What specific security pillar has failed?

Question 2

Typing ' OR '1'='1 into a login field to attempt to bypass the password check is a classic test for which vulnerability?

13. Interview Questions

  • Q: Explain the concept of Insecure Direct Object Reference (IDOR). How would you test an API endpoint (e.g., GET /user/data?id=5) to ensure it is not vulnerable to IDOR?
  • Q: A developer tells you, "We use HTTPS, so our application is completely secure from hackers." As a QA Engineer, explain why encryption in transit (HTTPS) does absolutely nothing to stop application-level vulnerabilities like SQL Injection.
  • Q: Walk me through a basic Security QA checklist you would execute before signing off on a new "User Login" feature.

14. FAQs

Q: Do I need to be a hacker to do Security Testing? A: To do deep, network-level penetration testing, yes. However, validating basic application security (testing for IDOR, XSS, and proper authentication flows) is standard QA work and does not require advanced hacking skills.

15. Summary

In Chapter 12, we adopted the mindset of an attacker. We learned that Security Testing is not just an IT problem; it is a fundamental QA responsibility. We differentiated between proving who a user is (Authentication) and proving what they are allowed to do (Authorization). We mastered the mechanics of injecting malicious SQL and JavaScript payloads to identify the most common, devastating vulnerabilities on the web. By incorporating basic security validation into daily test cases, QA teams build a robust first line of defense against catastrophic breaches.

16. Next Chapter Recommendation

We have tested web applications extensively. Now we must shrink the screen and change the operating system. Proceed to Chapter 13: Mobile Application Testing.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Performance and Load Testing
Next Chapter Mobile Application Testing

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 5

🎥 Related Videos 1