Vulnerability

A vulnerability is a flaw or weakness in software that can be exploited by an attacker to perform unauthorized actions — accessing data, modifying behavior, or compromising the system.

Common web vulnerabilities:

• SQL Injection: Inserting malicious SQL through input fields
• XSS (Cross-Site Scripting): Injecting malicious scripts into web pages
• CSRF (Cross-Site Request Forgery): Tricking users into performing actions
• Broken Authentication: Session hijacking, weak passwords
• Broken Access Control: Accessing resources without authorization
• Path Traversal: Accessing files outside intended directories

Vulnerability severity (CVSS scoring):

• Critical (9.0-10.0): Remote code execution, no authentication needed
• High (7.0-8.9): Significant impact, some conditions required
• Medium (4.0-6.9): Limited impact or requires significant conditions
• Low (0.1-3.9): Minimal impact

QA can find vulnerabilities during regular testing:

• Try special characters in input fields: ' " < > ; --
• Check if you can access other users' data by changing IDs in URLs
• Verify that logged-out users can't access protected pages
• Check that API endpoints validate authentication