Security & VAPT
Automated OWASP Top 10 and vulnerability scanning integrated into your continuous testing pipeline.
What this module tests
The Security & VAPT module generates and runs automated security test cases targeting common vulnerability classes. Tests are scoped to the endpoints and pages in your Knowledge Base, ensuring security coverage is aligned with your actual application surface.
Vulnerability classes tested:
- Injection — SQL injection, NoSQL injection, command injection probe payloads
- Broken Authentication — missing rate limits, weak token entropy, session fixation
- Cross-Site Scripting (XSS) — reflected and stored XSS probe payloads in form inputs and URL parameters
- Broken Access Control — IDOR probes (accessing another user's resources), privilege escalation paths
- Security Misconfiguration — missing security headers, verbose error messages exposing stack traces, open CORS
- Sensitive Data Exposure — plaintext sensitive fields in responses, missing HTTPS enforcement
- CSRF — missing CSRF tokens on state-changing endpoints
Run on staging only. Security tests send probe payloads that may create junk data. Configure the Security module to run against your staging environment, not production. Set this in Project Settings → Environments → Security Scan Target.
Test scope
Security tests are scoped to the endpoints and pages defined in your KB domains. Only URLs and API endpoints you've described in the KB are tested — VigilQA does not crawl or discover additional attack surface beyond what is in scope.
For API endpoints, additional scope can be added by uploading an OpenAPI spec in Project Settings → API Spec.
KB scenario format for security tests
# Security scenario example
domain: auth-api
scenarios:
- id: SEC-AUTH-001
title: "Login endpoint rejects SQL injection in email field"
module: security
auth_required: false
steps:
- Send POST to /api/auth/login with email containing SQL injection payload
expected: >
HTTP 400 or 422 response.
No database error messages exposed in response body.
Application does not return HTTP 200 or 500 for injection payloads.
- id: SEC-AUTH-002
title: "Protected endpoints return 401 without auth token"
module: security
steps:
- Send GET to /api/v1/users/me without any Authorization header
expected: >
HTTP 401 response.
Response does not include any user data.
WWW-Authenticate header is present.
Severity classification
| Severity | Definition | Example |
|---|---|---|
| Critical | Exploitable with immediate impact on data or system integrity | SQL injection returning database rows |
| High | Significant vulnerability requiring prompt remediation | Missing authentication on admin endpoints |
| Medium | Vulnerability with limited exploitability or impact | Missing CSRF protection on low-risk forms |
| Low | Best-practice issue with minimal direct risk | Verbose error messages |
| Informational | Configuration observation, no direct risk | Missing optional security header |
Reporting and integration
Security findings are available in the Security tab of the run results view. Findings marked as Critical or High automatically create Bug Tracker entries (if the Bug Tracker module is enabled). Reports can be exported as PDF or JSON for compliance and audit purposes.