Tutorials·13 June 2026 · 9 min read
Auth bugs QA can catch without being a pentester
The auth and session bugs that show up in normal functional testing — no exploit tooling required.
security-testingauthbugs
Tutorials·13 June 2026 · 8 min read
The password reset bugs I always test for
Password reset is a deceptively risky flow — token reuse, expiry, enumeration, and session handling all hide here.
security-testingauthbugs
Deep dives·13 June 2026 · 8 min read
IDOR explained for QA engineers
The most common serious web vulnerability is also the easiest for QA to catch: the app serves a record by ID without checking it is yours. Two accounts and a changed number find it.
security-testingauthidorbugs
Deep dives·13 June 2026 · 9 min read
Authorization testing: roles, permissions, and the assumptions that leak
Authentication asks who you are; authorization asks if you are allowed. Most access-control bugs live in the second question — tested with a written access matrix and a lot of negative testing.
security-testingauthorizationrbacbugs
Tutorials·13 June 2026 · 8 min read
How to test session expiry properly
A session that lives too long is a hole, one that survives logout defeats the point. Here is the session-expiry pass — idle, absolute, logout, reset, remember-me, and fixation.
security-testingauthsessionsbugs
Deep dives·13 June 2026 · 9 min read
Prompt injection testing for QA engineers
LLMs can't reliably separate instructions from data, so user input can hijack the model. Direct and indirect injection, what to check for, and how to report it QA-safe.
ai-testingsecurity-testingprompt-injectionllm
Deep dives·13 June 2026 · 10 min read
OWASP Top 10 for testers, not hackers
The OWASP Top 10 translated for QA: what each category means for flows you already test, and the one check you can run without being a pentester.
security-testingowaspchecklistauth
Tutorials·13 June 2026 · 8 min read
MFA testing checklist for QA teams
The full multi-factor auth test surface: bypass, wrong/expired/reused codes, brute-force lockout, recovery, and the usability cases most teams skip.
security-testingmfaauthenticationchecklist
Case studies·13 June 2026 · 8 min read
The release we delayed because one permission bug changed everything
A green suite, a flawless demo, and a permission check enforced in the UI but not the API — exposing every customer's data. Caught the day before release.
case-studysecurity-testingauthorizationrelease
Tutorials·13 June 2026 · 8 min read
API token bugs that show up in everyday testing
Treat the auth token as an input: test that it expires, dies on logout, can't cross scope or user, doesn't leak, and rejects tampering — all with your normal API client.
security-testingapi-testingtokensauth
Tutorials·13 June 2026 · 7 min read
How to write safe security bug reports
A security report has extra duties: private channel, impact over exploit, test data only, redacted evidence, clear severity — getting it fixed without making it worse.
security-testingbug-reportsprocessdisclosure