Tutorials·13 June 2026 · 9 min read
Auth bugs QA can catch without being a pentester
The auth and session bugs that show up in normal functional testing — no exploit tooling required.
security-testingauthbugs
Series
Security testing for QA.
The auth and access bugs you can catch during ordinary functional testing — no pentest required. A large share of the auth bugs that cause real incidents are functional defects in plain sight. This series covers the QA-safe security checks you can run with two accounts and a test inbox, and how to report them responsibly.
Who it's forManual QAQA engineers without a security background
// overview
You don't need a pentesting certification to catch the security bugs that cause real incidents. A large share of them are functional defects sitting in plain sight — an object you can read by changing an ID, a session that survives logout, a reset link that never expires. This series is the QA-safe pass for finding them with two accounts and a test inbox.
It stays deliberately inside the QA lane: no exploit payloads, no production data — just functional testing pointed at the auth layer, plus clear guidance on reporting findings as defects rather than weaponised writeups. Where a specialist review should take over, it says so.
Read it to build the habit of asking “what if I'm not supposed to do this?” on every feature you test.
// reading order
- Deep dives·13 June 2026 · 8 min read
IDOR explained for QA engineers
The most common serious web vulnerability is also the easiest for QA to catch: the app serves a record by ID without checking it is yours. Two accounts and a changed number find it.
security-testingauthidorbugs - Deep dives·13 June 2026 · 9 min read
Authorization testing: roles, permissions, and the assumptions that leak
Authentication asks who you are; authorization asks if you are allowed. Most access-control bugs live in the second question — tested with a written access matrix and a lot of negative testing.
security-testingauthorizationrbacbugs - Tutorials·13 June 2026 · 8 min read
How to test session expiry properly
A session that lives too long is a hole, one that survives logout defeats the point. Here is the session-expiry pass — idle, absolute, logout, reset, remember-me, and fixation.
security-testingauthsessionsbugs - Tutorials·13 June 2026 · 8 min read
The password reset bugs I always test for
Password reset is a deceptively risky flow — token reuse, expiry, enumeration, and session handling all hide here.
security-testingauthbugs - Deep dives·13 June 2026 · 10 min read
OWASP Top 10 for testers, not hackers
The OWASP Top 10 translated for QA: what each category means for flows you already test, and the one check you can run without being a pentester.
security-testingowaspchecklistauth - Tutorials·13 June 2026 · 8 min read
MFA testing checklist for QA teams
The full multi-factor auth test surface: bypass, wrong/expired/reused codes, brute-force lockout, recovery, and the usability cases most teams skip.
security-testingmfaauthenticationchecklist
// RELATED QA.CODES RESOURCES
Checklist
Common Bug
Next seriesAPI bugs QA should catch