OWASP Top 10 for Testers

Every tester should be able to write test cases for the OWASP Top 10 — the most commonly exploited web application vulnerabilities. This topic turns each OWASP category into concrete, executable test cases that SDETs can add to their regression suites.

35 min•By Priygop Team•Updated 2026

Testable Security Check Patterns

// ══════════════════════════════════════════════════════════════
// SECURITY TEST CASES FOR THE MOST CRITICAL OWASP CATEGORIES
// ══════════════════════════════════════════════════════════════

const securityTestCases = {
    
    // ── A01: Broken Access Control ───────────────────────────
    A01: [
        {
            id: "SEC-001",
            title: "Regular user cannot access admin endpoints",
            steps: [
                "Login as regular user alice@test.com",
                "GET /api/admin/users (admin-only endpoint)",
            ],
            expected: "HTTP 403 Forbidden — not 200 or 404",
        },
        {
            id: "SEC-002",
            title: "User cannot access another user's order",
            steps: [
                "Login as alice@test.com (user ID: 123)",
                "GET /api/users/456/orders (another user's orders)",
            ],
            expected: "HTTP 403 Forbidden",
        },
        {
            id: "SEC-003",
            title: "Manipulating object IDs in request doesn't expose other users' data",
            steps: [
                "Login as alice (ID: 123). GET /api/orders/ORD-100",
                "Check if ORD-100 belongs to alice",
                "Try GET /api/orders/ORD-101 (belongs to bob)",
            ],
            expected: "HTTP 403 or 404",
        },
    ],
    
    // ── A07: Auth Failures ───────────────────────────────────
    A07: [
        {
            id: "SEC-010",
            title: "Account lockout after 5 failed login attempts",
            steps: ["Attempt login with wrong password 5 times for same account"],
            expected: "Account locked on 6th attempt (not just rate limited)",
        },
        {
            id: "SEC-011",
            title: "Session token is invalidated after logout",
            steps: [
                "Login → capture session token",
                "Logout via POST /api/auth/logout",
                "Use captured token on GET /api/user/profile",
            ],
            expected: "HTTP 401 — token is no longer valid",
        },
        {
            id: "SEC-012",
            title: "Password reset token is single-use",
            steps: [
                "Request password reset → get reset token from email",
                "Use token once to reset password",
                "Attempt to use the SAME token a second time",
            ],
            expected: "Second use returns 400 Invalid token",
        },
        {
            id: "SEC-013",
            title: "Weak passwords are rejected",
            testData: ["password", "123456", "qwerty", "abc123"],
            expected: "All rejected with 'Password too weak' message",
        },
    ],
    
    // ── A05: Security Misconfiguration ───────────────────────
    A05: [
        {
            id: "SEC-020",
            title: "Error responses don't expose stack traces",
            steps: ["Send malformed request to any endpoint"],
            expected: "Generic error message — no stack trace, no line numbers, no internal paths",
        },
        {
            id: "SEC-021",
            title: "Security response headers are present",
            steps: ["GET / and check response headers"],
            expected: "Headers present: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Strict-Transport-Security: max-age=31536000, Content-Security-Policy: (defined policy)",
        },
    ]
};

Common Mistakes

Testing only authenticated endpoints — test guest/anonymous access paths too; public endpoints are the most commonly attacked
Using the same user for all security tests — use multiple user accounts with different roles (guest, user, admin) to test access control thoroughly
Accepting 404 for forbidden resources — returning 404 for an existing resource that the user doesn't have permission to access can hide IDOR vulnerabilities
Not testing horizontal privilege escalation — lateral access (user A accessing user B's data) is different from vertical (user accessing admin feature); test both

Tip

Practice OWASP Top 10 for Testers in small, isolated examples before integrating into larger projects. Breaking concepts into small experiments builds genuine understanding faster than reading alone.

Diagram

Loading diagram…

OWASP Top 10 checklist.

Practice Task

Note

Practice Task — (1) Write a working example of OWASP Top 10 for Testers from scratch without looking at notes. (2) Modify it to handle an edge case (empty input, null value, or error state). (3) Share your solution in the Priygop community for feedback.

Quick Quiz

Common Mistake

Warning

A common mistake with OWASP Top 10 for Testers is skipping edge case testing — empty inputs, null values, and unexpected data types. Always validate boundary conditions to write robust, production-ready software testing code.

Key Takeaways

Every tester should be able to write test cases for the OWASP Top 10 — the most commonly exploited web application vulnerabilities.
Testing only authenticated endpoints — test guest/anonymous access paths too; public endpoints are the most commonly attacked
Using the same user for all security tests — use multiple user accounts with different roles (guest, user, admin) to test access control thoroughly
Accepting 404 for forbidden resources — returning 404 for an existing resource that the user doesn't have permission to access can hide IDOR vulnerabilities

Topics in This Module

Testable Security Check Patterns

// ══════════════════════════════════════════════════════════════
// SECURITY TEST CASES FOR THE MOST CRITICAL OWASP CATEGORIES
// ══════════════════════════════════════════════════════════════

const securityTestCases = {
    
    // ── A01: Broken Access Control ───────────────────────────
    A01: [
        {
            id: "SEC-001",
            title: "Regular user cannot access admin endpoints",
            steps: [
                "Login as regular user alice@test.com",
                "GET /api/admin/users (admin-only endpoint)",
            ],
            expected: "HTTP 403 Forbidden — not 200 or 404",
        },
        {
            id: "SEC-002",
            title: "User cannot access another user's order",
            steps: [
                "Login as alice@test.com (user ID: 123)",
                "GET /api/users/456/orders (another user's orders)",
            ],
            expected: "HTTP 403 Forbidden",
        },
        {
            id: "SEC-003",
            title: "Manipulating object IDs in request doesn't expose other users' data",
            steps: [
                "Login as alice (ID: 123). GET /api/orders/ORD-100",
                "Check if ORD-100 belongs to alice",
                "Try GET /api/orders/ORD-101 (belongs to bob)",
            ],
            expected: "HTTP 403 or 404",
        },
    ],
    
    // ── A07: Auth Failures ───────────────────────────────────
    A07: [
        {
            id: "SEC-010",
            title: "Account lockout after 5 failed login attempts",
            steps: ["Attempt login with wrong password 5 times for same account"],
            expected: "Account locked on 6th attempt (not just rate limited)",
        },
        {
            id: "SEC-011",
            title: "Session token is invalidated after logout",
            steps: [
                "Login → capture session token",
                "Logout via POST /api/auth/logout",
                "Use captured token on GET /api/user/profile",
            ],
            expected: "HTTP 401 — token is no longer valid",
        },
        {
            id: "SEC-012",
            title: "Password reset token is single-use",
            steps: [
                "Request password reset → get reset token from email",
                "Use token once to reset password",
                "Attempt to use the SAME token a second time",
            ],
            expected: "Second use returns 400 Invalid token",
        },
        {
            id: "SEC-013",
            title: "Weak passwords are rejected",
            testData: ["password", "123456", "qwerty", "abc123"],
            expected: "All rejected with 'Password too weak' message",
        },
    ],
    
    // ── A05: Security Misconfiguration ───────────────────────
    A05: [
        {
            id: "SEC-020",
            title: "Error responses don't expose stack traces",
            steps: ["Send malformed request to any endpoint"],
            expected: "Generic error message — no stack trace, no line numbers, no internal paths",
        },
        {
            id: "SEC-021",
            title: "Security response headers are present",
            steps: ["GET / and check response headers"],
            expected: "Headers present: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Strict-Transport-Security: max-age=31536000, Content-Security-Policy: (defined policy)",
        },
    ]
};

Common Mistakes

Testing only authenticated endpoints — test guest/anonymous access paths too; public endpoints are the most commonly attacked

Using the same user for all security tests — use multiple user accounts with different roles (guest, user, admin) to test access control thoroughly

Accepting 404 for forbidden resources — returning 404 for an existing resource that the user doesn't have permission to access can hide IDOR vulnerabilities

Not testing horizontal privilege escalation — lateral access (user A accessing user B's data) is different from vertical (user accessing admin feature); test both

Tip

Practice OWASP Top 10 for Testers in small, isolated examples before integrating into larger projects. Breaking concepts into small experiments builds genuine understanding faster than reading alone.

Diagram

Loading diagram…

OWASP Top 10 checklist.

Topics in This Module