Tutorials·13 June 2026 · 9 min read
Auth bugs QA can catch without being a pentester
The auth and session bugs that show up in normal functional testing — no exploit tooling required.
security-testingauthbugs
Tutorials·13 June 2026 · 8 min read
The password reset bugs I always test for
Password reset is a deceptively risky flow — token reuse, expiry, enumeration, and session handling all hide here.
security-testingauthbugs
Deep dives·13 June 2026 · 8 min read
IDOR explained for QA engineers
The most common serious web vulnerability is also the easiest for QA to catch: the app serves a record by ID without checking it is yours. Two accounts and a changed number find it.
security-testingauthidorbugs
Tutorials·13 June 2026 · 8 min read
How to test session expiry properly
A session that lives too long is a hole, one that survives logout defeats the point. Here is the session-expiry pass — idle, absolute, logout, reset, remember-me, and fixation.
security-testingauthsessionsbugs
Deep dives·13 June 2026 · 10 min read
OWASP Top 10 for testers, not hackers
The OWASP Top 10 translated for QA: what each category means for flows you already test, and the one check you can run without being a pentester.
security-testingowaspchecklistauth
Tutorials·13 June 2026 · 8 min read
API token bugs that show up in everyday testing
Treat the auth token as an input: test that it expires, dies on logout, can't cross scope or user, doesn't leak, and rejects tampering — all with your normal API client.
security-testingapi-testingtokensauth