Security Tests

Write security tests that verify authentication, authorization, and data protection.

Test Creation Checklist

Authentication Testing

• Verify login succeeds with valid credentials and fails with invalid ones
• Test token expiration, refresh, and revocation flows
• Check multi-factor authentication enforcement and bypass prevention
• Validate session management (creation, timeout, invalidation)
• Test brute-force protection and account lockout mechanisms

Authorization Boundary Testing

• Verify role-based access control for all protected resources
• Test horizontal privilege escalation (accessing other users' data)
• Test vertical privilege escalation (performing admin-only actions)
• Check authorization enforcement at API layer, not just UI
• Validate that denied requests return no sensitive information in errors

Injection Prevention

• Test SQL injection with parameterized and raw query inputs
• Verify XSS prevention in all user-generated content rendering
• Check command injection in system call parameters
• Test path traversal in file upload and download operations
• Validate LDAP, XML, and template injection resistance

Data Protection Verification

• Verify sensitive data encryption at rest and in transit
• Check that secrets are not logged, cached, or exposed in errors
• Test PII masking in logs, exports, and API responses
• Validate secure deletion of sensitive data on user request
• Confirm CORS, CSP, and security header configuration

Output Format

Report test plan with priority ratings: