VigilQA Docs

Security & VAPT

Automated OWASP Top 10 and vulnerability scanning integrated into your continuous testing pipeline.

What this module tests

The Security & VAPT module generates and runs automated security test cases targeting common vulnerability classes. Tests are scoped to the endpoints and pages in your Knowledge Base, ensuring security coverage is aligned with your actual application surface.

Vulnerability classes tested:

  • Injection — SQL injection, NoSQL injection, command injection probe payloads
  • Broken Authentication — missing rate limits, weak token entropy, session fixation
  • Cross-Site Scripting (XSS) — reflected and stored XSS probe payloads in form inputs and URL parameters
  • Broken Access Control — IDOR probes (accessing another user's resources), privilege escalation paths
  • Security Misconfiguration — missing security headers, verbose error messages exposing stack traces, open CORS
  • Sensitive Data Exposure — plaintext sensitive fields in responses, missing HTTPS enforcement
  • CSRF — missing CSRF tokens on state-changing endpoints

Run on staging only. Security tests send probe payloads that may create junk data. Configure the Security module to run against your staging environment, not production. Set this in Project Settings → Environments → Security Scan Target.

Test scope

Security tests are scoped to the endpoints and pages defined in your KB domains. Only URLs and API endpoints you've described in the KB are tested — VigilQA does not crawl or discover additional attack surface beyond what is in scope.

For API endpoints, additional scope can be added by uploading an OpenAPI spec in Project Settings → API Spec.

KB scenario format for security tests

# Security scenario example
domain: auth-api
scenarios:
  - id: SEC-AUTH-001
    title: "Login endpoint rejects SQL injection in email field"
    module: security
    auth_required: false
    steps:
      - Send POST to /api/auth/login with email containing SQL injection payload
    expected: >
      HTTP 400 or 422 response.
      No database error messages exposed in response body.
      Application does not return HTTP 200 or 500 for injection payloads.

  - id: SEC-AUTH-002
    title: "Protected endpoints return 401 without auth token"
    module: security
    steps:
      - Send GET to /api/v1/users/me without any Authorization header
    expected: >
      HTTP 401 response.
      Response does not include any user data.
      WWW-Authenticate header is present.

Severity classification

SeverityDefinitionExample
CriticalExploitable with immediate impact on data or system integritySQL injection returning database rows
HighSignificant vulnerability requiring prompt remediationMissing authentication on admin endpoints
MediumVulnerability with limited exploitability or impactMissing CSRF protection on low-risk forms
LowBest-practice issue with minimal direct riskVerbose error messages
InformationalConfiguration observation, no direct riskMissing optional security header

Reporting and integration

Security findings are available in the Security tab of the run results view. Findings marked as Critical or High automatically create Bug Tracker entries (if the Bug Tracker module is enabled). Reports can be exported as PDF or JSON for compliance and audit purposes.