testing-security

Authorization model and roles List of critical endpoints/functions Data classification and risk areas Allowed check set and environment Access to logs/monitoring and request-id </input_requirements> Verify authn/authz for each role and forbidden path Verify session management (expiration, logout, refresh) Verify input validation (XSS/SQLi) without destroying data Verify CSRF for state-changing operations (if applicable) Verify rate limiting and abuse blocking Check data leaks in responses, logs, and errors </execution_rules> Broken access control Authentication failures Security misconfiguration Data exposure (PII/secrets) Validation and injection vulnerabilities All steps are reproducible and documented Role, token, and request context are stated Evidence exists (request/response, request-id) Risk assessment is tied to data and roles </quality_rules> Do not run security tests without permission Do not test production without permission Do not perform destructive actions and mass deletions Do not extract or store real user data </do_not> Verify User role access to an Admin resource (must be forbidden) Verify session expiration and inaccessibility after logout Verify handling of dangerous characters in input fields </example_checks>