Fundamentals Of Testing Istqb: Security Testing Fundamentals: OWASP Top 10 for Manual Testers

Published on December 14, 2025 | 10-12 min read | Manual Testing & QA
WhatsApp Us

Security Testing Fundamentals: A Manual Tester's Guide to the OWASP Top 10

Looking for fundamentals of testing istqb training? As a manual tester, your primary goal is to ensure software is functional, usable, and reliable. But in today's digital landscape, there's a critical fourth pillar: security. Security testing is no longer a niche skill reserved for specialized penetration testers; it's a fundamental competency for every QA professional. This guide demystifies application security for manual testers, focusing on the industry-standard OWASP Top 10. You'll learn how to think like an attacker, identify common vulnerability testing targets, and apply practical techniques to make the applications you test more secure.

Key Takeaway

Security Testing is a type of non-functional testing aimed at discovering vulnerabilities, threats, and risks in software to prevent malicious attacks. The OWASP Top 10 is a regularly updated list of the most critical web application security risks, serving as the essential checklist for manual testers and developers alike.

Why Should Manual Testers Care About Security?

You might wonder if finding security flaws is "your job." The answer is a resounding yes. Manual testers have a unique advantage: they understand user flows, business logic, and application behavior intimately. This contextual knowledge is perfect for uncovering logic-based security flaws that automated scanners often miss. By integrating basic security QA practices into your test cycles, you shift security "left" in the SDLC, finding and fixing issues earlier and cheaper. It makes you a more valuable, well-rounded tester and is a core part of the ISTQB Foundation Level syllabus under the "Test Types" and "Testing Throughout the Software Lifecycle" sections.

Understanding the OWASP Top 10: Your Security Testing Blueprint

The Open Web Application Security Project (OWASP) is a non-profit foundation that works to improve software security. Their "Top 10" list is the de facto standard for understanding the most prevalent and dangerous web application vulnerabilities. As a manual tester, this list is your roadmap for vulnerability testing.

How this topic is covered in ISTQB Foundation Level

The ISTQB Foundation Level curriculum introduces security testing as a key objective of testing. It defines it as testing to determine the security of the software product. While it doesn't dive into the specifics of the OWASP Top 10, it establishes the fundamental principles: testing for confidentiality, integrity, availability, authentication, authorization, non-repudiation, and resilience. The OWASP Top 10 provides the practical, real-world vulnerabilities that map directly to these principles.

Core OWASP Top 10 Vulnerabilities for Manual Testing

Let's break down the most critical vulnerabilities you can start testing for today, with a focus on manual techniques.

1. Broken Access Control

What it is: Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality or data.

Manual Testing Context: This is a prime area for manual security QA. Automated tools struggle with business logic.

  • Testing for Vertical Privilege Escalation: Log in as a low-privilege user (e.g., "customer"). Try to directly access URLs or API endpoints reserved for high-privilege users (e.g., "/admin/users" or "/api/deleteAllAccounts"). Use browser developer tools to manipulate session cookies or user IDs in requests.
  • Testing for Horizontal Privilege Escalation: Log in as User A. Access a resource belonging to User B by tampering with an ID parameter. For example, if your profile is at `/profile?id=123`, try changing it to `/profile?id=124` to see if you can view another user's data.

2. Cryptographic Failures (Previously Sensitive Data Exposure)

What it is: Failures related to cryptography (or lack thereof) often lead to exposure of sensitive data like passwords, credit card numbers, or health records.

Manual Testing Context: Your focus is on observation and validation.

  • Check if the application uses HTTPS everywhere (look for the padlock icon). Try accessing the login page via HTTP.
  • Use browser DevTools (Network tab) to inspect traffic. Are passwords sent in plain text? Are session tokens exposed?
  • Check if sensitive data like credit card numbers are masked in the UI and not stored unnecessarily.

3. Injection (The Classic: SQL Injection & More)

What it is: An attacker sends malicious data to an interpreter, tricking it into executing unintended commands. SQL Injection (SQLi) is the most famous example.

Manual Testing Context: This is where you can directly probe for flaws.

  • SQL Injection Testing: In any text input field (login, search), try classic payloads:
    • `'` (single quote) – to see if it breaks the query and causes an error.
    • `' OR '1'='1` – a classic bypass for login forms.
    • `'; DROP TABLE users;--` (never do this on a live system without permission!).
    Observe the application's response. Error messages revealing database structure are a major red flag.
  • Cross-Site Scripting (XSS) Testing: A type of injection where malicious scripts are injected into trusted websites. Try entering simple HTML/JS in input fields: ` ` or ``. See if the script executes when the page renders.

Practical Extension: How this is applied in real projects (beyond ISTQB theory)

While ISTQB teaches the "what" and "why" of security testing, real-world projects demand the "how." For instance, when testing for Injection, you'll often use a combination of manual probing and proxy tools like Burp Suite or OWASP ZAP to intercept and manipulate requests. You'll also need to understand the application's context—testing a financial app requires more stringent checks for cryptographic failures than a simple blog. This blend of foundational theory and hands-on tool skills is what separates competent testers from experts.

Want to build this practical skill set? Our ISTQB-aligned Manual & Automation Testing Course bridges this exact gap, moving from ISTQB concepts to real-world vulnerability testing techniques.

4. Insecure Design

What it is: This category focuses on flaws in the architecture and design of the application. It's about missing or ineffective control design.

Manual Testing Context: This requires critical thinking about business logic.

  • Can you bypass a "one-time password" (OTP) flow by directly calling the verification API?
  • Does the "Forgot Password" function allow unlimited attempts, enabling attackers to guess reset codes?
  • Is there a flawed approval workflow where a user can approve their own request?

5. Security Misconfiguration

What it is: This occurs when security settings are not defined, implemented, or maintained properly.

Manual Testing Context: Often found through reconnaissance.

  • Check for default files: `/robots.txt`, `/phpinfo.php`, `/admin`, `/backup`.
  • Do error messages reveal stack traces, framework versions, or server details?
  • Are unnecessary HTTP methods (like PUT, DELETE) enabled on the server?

Building Your Manual Security Testing Workflow

You don't need to be a hacker to start. Follow this simple, iterative workflow:

  1. Reconnaissance: Map the application. Understand all entry points (forms, URLs, APIs, file uploads).
  2. Authentication & Session Testing: Test login, logout, password policies, and session management.
  3. Authorization Testing: Systematically test for Broken Access Control as described above.
  4. Input Validation Testing: Target every input field for Injection and XSS. Test upload functionality for malicious files.
  5. Observation & Reporting: Document every test, payload used, and the application's response. A clear, reproducible bug report is crucial.

Mastering this workflow starts with a solid foundation in testing principles. Our ISTQB-aligned Manual Testing Fundamentals course is designed to build that foundation before layering on advanced topics like security.

Tools to Augment Your Manual Testing

While this guide focuses on manual techniques, smart testers use tools to enhance their efficiency:

  • Browser Developer Tools (F12): Your #1 tool for inspecting elements, monitoring network traffic, and manipulating client-side data.
  • OWASP ZAP (Zed Attack Proxy): A free, open-source security tool for finding vulnerabilities. Use its automated scanner as a starting point, then manually explore the alerts it generates.
  • Burp Suite Community Edition: A powerful platform for web security testing. Its proxy lets you intercept, inspect, and modify traffic between your browser and the web app.

Conclusion: Becoming a Security-Conscious Tester

Integrating OWASP Top 10 awareness into your manual testing process is a career-defining step. It transforms you from a functional validator to a quality engineer who protects the business and its users. Start small: in your next test cycle, pick one vulnerability category (like Broken Access Control) and spend 30 minutes exploring the application with a "security lens." The mindset shift—from "does it work?" to "can it be broken?"—is the most powerful tool you have.

Remember, the goal isn't to find every possible hack but to identify the obvious, high-risk vulnerabilities that could cause real damage. By combining the structured approach of ISTQB Foundation Level with the practical, hands-on techniques for application security testing, you position yourself at the forefront of modern QA.

Frequently Asked Questions (FAQs) on Security Testing

I'm a complete beginner in manual testing. Should I learn security testing right away?
Answer: Focus on core manual testing skills first (test design, bug reporting, SDLC). Once you're comfortable, security testing is the perfect next step to specialize and increase your value. A course that blends both, like our Manual Testing Fundamentals, provides a structured path.
Do I need to know how to code to do manual security testing?
Answer: Not necessarily for basic testing. Understanding how web applications work (HTTP, client-server, basic HTML/JS) is more critical initially. However, knowing SQL helps with understanding injection, and basic scripting can automate repetitive tasks later.
Is the OWASP Top 10 only for web applications? What about mobile or desktop apps?
Answer: It's primarily for web apps, but the core concepts (Injection, Broken Access Control, Cryptographic Failures) apply universally. Mobile and desktop apps have their own additional concerns (e.g., insecure data storage on device, inter-process communication).
What's the difference between a vulnerability and a bug?
Answer: All vulnerabilities are bugs, but not all bugs are vulnerabilities. A bug is a flaw in the software. A vulnerability is a specific type of bug that can be exploited to compromise security (e.g., a crash bug vs. a SQL injection bug).
How do I convince my manager or team to let me spend time on security testing?
Answer: Frame it in terms of risk and cost. Explain that finding a critical security flaw during QA is far cheaper (in terms of money and reputation) than having it discovered after a data breach. Start by adding a few security-focused test cases to existing smoke or regression suites.
Can automated tools replace manual security testing?
Answer: No. Automated scanners (DAST/SAST) are excellent for finding low-hanging fruit and known patterns. Manual testing is essential for uncovering business logic flaws, complex multi-step attacks, and vulnerabilities that require human intuition and understanding of context.
Is it legal to test for vulnerabilities in any website?
Answer: Absolutely not. Only test applications you own or have explicit, written permission to test. Unauthorized testing is illegal and considered hacking. Always operate within a defined scope and rules of engagement.
I'm studying for the ISTQB exam. How much of this will be on the test?
Answer: The ISTQB Foundation Level exam will test your understanding of security testing as a concept and test type. You need to know its objectives and why it's important. It will not ask you specific questions about SQL injection syntax or OWASP categories. A good training course will cover both the exam theory and its practical application, preparing you for both the test and the job.

Ready to Master Manual Testing?

Transform your career with our comprehensive manual testing courses. Learn from industry experts with live 1:1 mentorship.

Manual Testing Fundamentals → Full-Stack Automation →