Security Testing for QA Engineers: Complete 2026 Guide (OWASP, Burp Suite, ZAP)
The 2026 complete security testing guide for QA engineers — OWASP Top 10, OWASP API Security Top 10, SQL injection, XSS, BOLA, authentication and authorization testing, Burp Suite, OWASP ZAP, and security in CI/CD.

In this article
- 1. Why Security Testing Matters in 2026
- 2. The QA Security Mindset
- 3. OWASP Top 10 (Web Applications)
- 4. OWASP API Security Top 10
- 5. Authentication and Authorization Testing
- 6. Input Validation Vulnerabilities
- 7. Hands-On with Burp Suite
- 8. Hands-On with OWASP ZAP
- 9. Security Testing in CI/CD
- 10. Reporting Security Bugs
- 11. Security Testing Best Practices for 2026
- 12. Author Bio & Next Steps
- Frequently asked questions
In 2026, every product is a security product. The average data breach now costs $4.88 million (IBM Cost of a Data Breach Report) and regulatory penalties under GDPR, HIPAA, PCI-DSS and the EU AI Act can exceed $100 million. QA engineers are the last line of defense before code ships — functional tests verify the app works; security tests verify the app doesn't help attackers break it.
This guide covers everything a modern QA engineer needs: the OWASP Top 10 and OWASP API Security Top 10, hands-on testing for SQL injection, XSS, BOLA and broken authentication, practical workflows with Burp Suite and OWASP ZAP, plus how to wire security scans into CI/CD. Pair it with our Manual Testing Complete Guide and the API Testing Tutorial for end-to-end coverage.
What you'll master: the OWASP Top 10 and OWASP API Security Top 10, how to test for SQL injection, XSS, BOLA, broken auth and SSRF, hands-on Burp Suite and OWASP ZAP workflows, and how to integrate SAST/SCA/DAST into your CI/CD pipeline.
1. Why Security Testing Matters in 2026
QA engineers are the last gate before code reaches users. In 2026 the threat model has shifted:
- DevSecOps is the norm — security testing is integrated into every sprint, not bolted on at release.
- AI-generated code has security risks — LLM-generated code often introduces subtle vulnerabilities that QA must catch (see our GitHub Copilot for QA guide for prompt patterns that prevent this).
- API security is the new perimeter — APIs are the #1 attack vector in 2026 per the OWASP API Security Top 10.
- Supply chain attacks are rising — QA must verify third-party dependencies on every build.
- Regulatory pressure is mounting — every industry now has new security compliance requirements.
If you're a QA engineer in 2026 and you don't know how to test for the OWASP Top 10, you're a liability to your team. Security testing is also one of the fastest paths to a senior salary band — see our QA Engineer Salary Guide for the security premium.
2. The QA Security Mindset
Shift-left security
Security testing starts at the requirements phase, not the test phase. In backlog grooming, ask:
- What data does this feature handle? PII? Payment? Health?
- Who can access this? Admin? User? Anonymous?
- What happens if an attacker sends malicious input here?
- Does this feature log anything sensitive?
- Does this feature meet our compliance requirements?
The threat-modeling habit
Before testing any feature, do a 5-minute threat-modeling pass:
- What are we building? (login, payment, profile update)
- What data does it touch? (PII, credentials, money)
- Who can interact with it? (admin, user, anonymous)
- What's the worst-case abuse? (account takeover, data exfiltration)
- What mitigations exist? (auth, validation, rate limiting)
Security vs functional testing
| Functional testing | Security testing |
|---|---|
| Tests what the app should do | Tests what the app shouldn't allow attackers to do |
| Happy-path focus | Adversarial focus |
| Tests with valid input | Tests with malicious and unexpected input |
| Confirms features work | Confirms features can't be abused |
The two are complementary — a feature can pass every functional test and still be insecure.
3. OWASP Top 10 (Web Applications)
The OWASP Top 10 is the de facto standard for web application security risks. The 2021 edition remains current; OWASP Top 10:2025 is in draft.
A01:2021 — Broken Access Control
Risk: Users access resources they shouldn't.
Test cases:
- Try to access another user's data by changing the ID (
/users/123→/users/124). - Hit an admin endpoint as a regular user.
- Perform an admin action (delete user, change role) without the admin role.
- Bypass authorization by tampering with JWT tokens or cookies.
Test: "User cannot view another user's profile"
1. Log in as user A (id=123)
2. GET /users/123/profile → 200 OK
3. GET /users/124/profile → expect 403 ForbiddenA02:2021 — Cryptographic Failures
- Verify HTTPS is enforced (no HTTP fallback).
- Verify
Strict-Transport-Security(HSTS) header is present. - Verify cookies have
Secure,HttpOnly,SameSiteflags. - Verify passwords are hashed (not stored in plain text).
- Verify sensitive data is not logged.
A03:2021 — Injection
Payloads to try: SQL (' OR '1'='1, '; DROP TABLE users; --), NoSQL ({"$gt": ""}), LDAP (*)(&), OS command (; ls -la), template (${7*7}, {{7*7}}). See section 6 for hands-on examples.
A04:2021 — Insecure Design
- Rate limiting on sensitive endpoints (login, password reset).
- Business logic can't be abused (applying a discount N times).
- Critical operations require re-authentication.
A05:2021 — Security Misconfiguration
- No default credentials (admin/admin).
- Production doesn't expose stack traces on error.
- Security headers present (CSP, X-Frame-Options).
- Cloud storage (S3 buckets) is not publicly accessible.
A06:2021 — Vulnerable and Outdated Components
- Run
npm audit/pip-auditon every build. - All dependencies are within their support window.
A07:2021 — Identification and Authentication Failures
- Password complexity enforced.
- Account lockout after N failed attempts.
- Session tokens are sufficiently random.
- Password reset doesn't leak information.
- MFA cannot be bypassed.
- JWT tokens are properly validated.
A08:2021 — Software and Data Integrity Failures
- Auto-update mechanisms verify signatures.
- CI/CD verifies supply chain (SLSA framework).
- Deserialization rejects untrusted data.
A09:2021 — Security Logging and Monitoring Failures
- Failed logins and privilege-escalation attempts are logged.
- Logs are tamper-resistant; alerts fire on suspicious patterns.
A10:2021 — Server-Side Request Forgery (SSRF)
- Try to make the server fetch
http://localhost/admin. - Try the AWS metadata endpoint
http://169.254.169.254/. - Try
file://URLs.
4. OWASP API Security Top 10
The OWASP API Security Top 10 (2023) focuses on REST, GraphQL and gRPC. Test it on every API in your portfolio — pair this section with our API Testing Interview Questions and API Testing Tutorial.
API1:2023 — Broken Object Level Authorization (BOLA)
The #1 API vulnerability in 2026. Test on every endpoint that takes an ID:
- GET
/users/1as user 2 → expect 403 - PUT
/orders/123(another user's order) → expect 403 - DELETE
/posts/456(another user's post) → expect 403
API2:2023 — Broken Authentication
- JWT with no signature → 401
- Expired JWT → 401
- JWT with modified claims → 401
- API key in URL instead of header → 401
- Basic auth with default credentials → 401
API3:2023 — Broken Object Property Level Authorization
- POST
/userswith{"role": "admin"}as a regular user → 403 - GET
/users/meshould not includepassword/password_hash - PATCH
/users/123with{"balance": 1000000}→ 403
API4:2023 — Unrestricted Resource Consumption
- 10,000 requests in 1 second → 429 Too Many Requests
- 100 MB payload → 413 Payload Too Large
- Deeply nested JSON (10,000 levels) → 400 Bad Request
API5:2023 — Broken Function Level Authorization
- Regular user → POST
/admin/users→ 403 - Regular user → DELETE
/admin/settings→ 403
API6:2023 — Unrestricted Access to Sensitive Business Flows
- Apply the same coupon code 1,000 times → rate limited
- Create 1,000 accounts in 1 hour → CAPTCHA or rate limited
- Scrape all public data via the API → rate limited
API7:2023 — Server Side Request Forgery
- POST
/uploadwith URLhttp://localhost:8080/admin→ validation - POST
/webhookwithhttp://169.254.169.254/→ validation
API8:2023 — Security Misconfiguration
- CORS does not allow
*for authenticated endpoints. - Error responses don't include stack traces.
- Unnecessary HTTP methods (TRACE) are disabled.
API9:2023 — Improper Inventory Management
/v1/(old API version) should be deprecated and disabled.- Fuzz for undocumented endpoints.
- Staging/dev environments should not be exposed.
API10:2023 — Unsafe Consumption of APIs
- Validate third-party API responses.
- Enforce SSL/TLS verification.
- Store third-party API keys securely.
6. Input Validation Vulnerabilities
SQL injection test cases
| Input | Expected response |
|---|---|
admin@example.com | Valid login attempt |
' OR '1'='1 | Rejected (400 or treated as literal email) |
'; DROP TABLE users; -- | Rejected |
admin@example.com'-- | Rejected |
# Try SQL injection in login
curl -X POST https://api.example.com/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"admin@example.com'\'' OR '\''1'\''='\''1","password":"x"}'
# Expected: 400 Bad Request (not 200, not 500)XSS (Cross-Site Scripting) payloads
| Input | Expected response |
|---|---|
<script>alert('xss')</script> | Sanitized or rejected |
<img src=x onerror=alert('xss')> | Sanitized |
<svg/onload=alert('xss')> | Sanitized |
javascript:alert('xss') | Sanitized in URL params |
How to test: submit the payload in a comment, profile name or search box, then view the rendered HTML source — the script must be escaped or stripped, never executed.
CSRF (Cross-Site Request Forgery)
- Form submissions require a CSRF token.
- Cookies use
SameSite=LaxorStrict. - Referer header is validated for state-changing requests.
SSRF payloads
http://localhost:8080/admin— internal accesshttp://169.254.169.254/latest/meta-data/— AWS metadatafile:///etc/passwd— local filehttp://internal-service.company.local— internal DNS
7. Hands-On with Burp Suite
Burp Suite is the de facto standard for manual security testing. The Community Edition is free. Download from portswigger.net/burp.
Configure your browser
- Install FoxyProxy or use Burp's built-in browser.
- Set proxy to
127.0.0.1:8080. - Install Burp's CA certificate in your browser (for HTTPS interception).
Intercept and modify requests
- Open Burp → Proxy → Intercept.
- Browse the application normally — Burp captures every request.
- Click any request to view and modify it.
- Forward modified requests to see how the server responds.
Use the Repeater
- Right-click any request → Send to Repeater.
- Modify the request (add SQL injection payload, change user ID, etc.).
- Click Send to test the modified request.
Sample workflow: testing BOLA
- Log in as user A in your browser (proxied through Burp).
- Navigate to
/users/me/profile— Burp capturesGET /users/me/profile. - Modify the URL to
GET /users/123/profile. - Send to Repeater. If 200 → BOLA vulnerability. If 403 → secure.
Sample workflow: testing SQL injection
- Log in as any user.
- Search for a product:
GET /api/products?q=laptop. - Modify
q=laptoptoq=laptop' OR '1'='1and send via Repeater. - If all products are returned → SQL injection vulnerability.
8. Hands-On with OWASP ZAP
OWASP ZAP is the open-source alternative to Burp Suite — free, with a full active scanner. Download from zaproxy.org.
Quick scan
- Open ZAP → Quick Start → Automated Scan.
- Enter the URL to scan and click Attack.
- View the Alerts tab for findings.
What the active scanner covers
- SQL injection
- XSS (reflected, stored, DOM)
- Path traversal
- SSRF
- Broken authentication
- Security misconfiguration
Use ZAP as a CI/CD security gate
# Docker baseline scan
docker run -v $(pwd):/zap/wrk:rw \
owasp/zap2docker-stable zap-baseline.py \
-t https://staging.example.com \
-r zap-report.htmlOr with the official GitHub Action:
- name: ZAP Baseline Scan
uses: zaproxy/action-baseline@v0.7.0
with:
target: 'https://staging.example.com'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-I'The scan fails the build when it finds high-risk vulnerabilities.
9. Security Testing in CI/CD
SAST — Static Application Security Testing
Analyzes source code without running the app.
| Tool | Languages | Free tier |
|---|---|---|
| SonarQube | Many | Yes (Community) |
| Snyk Code | Many | Yes (limited) |
| Semgrep | Many | Yes (OSS) |
| GitHub Code Scanning | Many | Free for public repos |
SCA — Software Composition Analysis
Scans third-party dependencies for known CVEs.
| Tool | Ecosystems | Free tier |
|---|---|---|
| Snyk Open Source | npm, pip, Maven… | Yes (limited) |
| npm audit | npm | Free |
| pip-audit | Python | Free |
| OWASP Dependency-Check | Many | Free |
DAST — Dynamic Application Security Testing
Tests the running application.
| Tool | Type | Free tier |
|---|---|---|
| OWASP ZAP | Open source | Yes (full) |
| Burp Suite Pro | Commercial | No |
| StackHawk | SaaS | Yes (limited) |
GitHub Actions example
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run npm audit
run: npm audit --audit-level=high
- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
with:
config: >-
p/security-audit
p/secrets
p/owasp-top-ten
- name: Run OWASP ZAP Baseline
uses: zaproxy/action-baseline@v0.7.0
with:
target: 'https://staging.example.com'For broader CI/CD patterns, see our Selenium WebDriver Guide and Playwright Complete Guide.
10. Reporting Security Bugs
A great security bug report accelerates the fix and prevents the next breach. Use this template:
TITLE: [Severity] [Asset] [Vulnerability type] — [Impact]
Example: "[HIGH] /api/users/:id — Broken Object Level Authorization
allows access to other users' profiles"
SEVERITY: Critical / High / Medium / Low / Informational
CVSS SCORE: 7.5
OWASP CATEGORY: A01:2021 — Broken Access Control
CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)
ASSET:
- URL: /api/users/:id
- Parameter: id
- Affected versions: 1.0.0 – 1.4.2
DESCRIPTION:
The /api/users/:id endpoint does not verify that the authenticated
user owns the requested resource. An authenticated user can access
any other user's profile by changing the :id parameter.
REPRODUCTION STEPS:
1. Log in as user A (id=123, token=<token_A>)
2. Send GET /api/users/124 with token_A
3. Observe: 200 OK with user B's profile data
4. Expected: 403 Forbidden
IMPACT:
An attacker who creates an account can enumerate and exfiltrate
all users' personal data (name, email, phone, address).
REMEDIATION:
Add an ownership check: the authenticated user ID must match the
requested user ID, or the user must have admin privileges.
REFERENCES:
- https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/
- https://cwe.mitre.org/data/definitions/639.html
EVIDENCE:
[Attach screenshots, HTTP request/response logs, Burp screenshots]Severity rating (CVSS-based)
| Severity | CVSS range | Example |
|---|---|---|
| Critical | 9.0 – 10.0 | Remote code execution, admin access without auth |
| High | 7.0 – 8.9 | BOLA, SQL injection, broken auth |
| Medium | 4.0 – 6.9 | Reflected XSS, missing security headers |
| Low | 0.1 – 3.9 | Information disclosure, missing rate limiting |
| Informational | 0.0 | Best-practice violations |
For bug-report craft beyond security, read our Manual Testing Interview Questions.
11. Security Testing Best Practices for 2026
Do
- Test every endpoint that takes an ID for BOLA (the #1 API vulnerability).
- Use OWASP ZAP or Burp Suite for hands-on security testing.
- Run SAST on every PR.
- Run SCA on every PR (
npm audit,pip-audit). - Run DAST weekly against staging.
- Add security tests to your regression suite.
- Threat-model every feature before implementation.
- Test authentication and authorization on every endpoint.
- Verify input validation for every input field.
- Stay current with OWASP Top 10 updates.
Don't
- Don't rely solely on automated scanners — they miss business-logic vulnerabilities.
- Don't test only the happy path.
- Don't skip security testing in dev environments — attackers don't care.
- Don't ignore "informational" findings — they often chain into real exploits.
- Don't put security testing in a separate sprint — it should be continuous.
- Don't share security findings publicly until the fix is shipped.
12. Author Bio & Next Steps
About the author: The SoftwareTestPilot Editorial Team is a group of QA practitioners with 40+ years of combined experience. We've shipped security-tested apps at banks, healthcare providers and SaaS platforms — and we've caught vulnerabilities that would have cost millions in remediation.
Practice security testing
Sharpen your hands-on skills on HackTheBox, TryHackMe, OWASP WebGoat or DVWA. For real-world experience, start with HackerOne or Bugcrowd bug bounty programs.
Continue your journey
- API Testing Tutorial — the API-specific security risks in depth
- Manual Testing Complete Guide — security-aware test design
- Playwright Complete Guide — automate UI security checks
- Selenium WebDriver Guide — security in CI/CD
- SDET Career Roadmap — security as a senior specialization
- QA Engineer Salary Guide — security specialists earn premium rates
Rehearse security and API rounds live in the AI Mock Interview, run your CV through the free Resume ATS Review, and join 11K+ testers in the QA Network for daily security questions and referrals.
Frequently asked questions
What is security testing?
Security testing verifies that an application is resistant to attacks. It includes testing for the OWASP Top 10 vulnerabilities (web), OWASP API Security Top 10 (APIs), authentication, authorization, input validation, and business logic abuse.
What is OWASP?
OWASP (Open Worldwide Application Security Project) is a nonprofit foundation that produces freely-available articles, methodologies, documentation, tools, and technologies in application security. The OWASP Top 10 is the most widely referenced security standard.
Do QA engineers need to do security testing in 2026?
Yes. Security testing is part of the modern QA role. Every QA engineer should know how to test for the OWASP Top 10 and use at least one security tool (Burp Suite or OWASP ZAP).
Burp Suite vs OWASP ZAP — which should I use?
Burp Suite Pro is more polished and feature-rich. OWASP ZAP is free, open-source and ships a full active scanner. For a QA engineer starting out, OWASP ZAP is the best choice. For professional penetration testers, Burp Suite Pro is the industry standard.
What is the OWASP Top 10?
The OWASP Top 10 is the de facto list of the most critical web application security risks. Updated every 3–4 years. The current edition is 2021; OWASP Top 10:2025 is in draft.
What is the OWASP API Security Top 10?
The OWASP API Security Top 10 (2023) is the API-specific version covering REST, GraphQL and gRPC. The #1 risk is Broken Object Level Authorization (BOLA).
What is the difference between SAST, SCA, and DAST?
SAST (Static Analysis) analyzes source code without running it (SonarQube, Semgrep). SCA (Software Composition Analysis) scans third-party dependencies (npm audit, Snyk). DAST (Dynamic Analysis) tests the running application (OWASP ZAP, Burp Suite). Run all three for comprehensive coverage.
How long does it take to learn security testing?
For an experienced QA engineer: 2–4 weeks to productive (OWASP Top 10 + Burp Suite basics). For a beginner: 2–3 months of consistent practice.
Can I become a security QA engineer without a security background?
Yes. Learn the OWASP Top 10, get hands-on with Burp Suite and OWASP ZAP, practice on HackTheBox or TryHackMe, earn OSCP, CEH or GWAPT certification, and build a portfolio of bug-bounty findings.
What is the salary for a security QA engineer?
In the US, security QA engineers command $150k–$220k median. Security specialists in pentesting earn $200k–$300k. See our QA Engineer Salary Guide for the full breakdown.
Where can I practice security testing safely?
Use HackTheBox, TryHackMe, OWASP WebGoat or DVWA in isolated environments. Never test against systems you don't own or have explicit permission to test.
How do I test for BOLA?
On every endpoint that accepts an ID, authenticate as user A and request a resource that belongs to user B. A secure API returns 403 Forbidden. Burp Suite's Repeater is ideal for swapping IDs quickly.
Practice these questions
Run a live QA mock interview tailored to this topic and get per-skill scoring in minutes.
Was this article helpful?
Keep building your QA edge
Pillar guidesContinue reading
Join the QA Community
Connect with fellow testers, share job leads, and get career advice.
Stop Reinventing the Wheel. Upgrade Your QA Arsenal.
Take your testing skills from beginner to Lead Engineer. Supercharge your daily workflow with our premium digital resources.
- ⚡ Ready-to-use testing strategy templates
- 🔥 Advanced API & UI automation guides
- ⏱️ Save 10+ hours a week on test planning


