Security Testing Basics for Vibecoded Apps

Enter a script tag (<script>alert('xss')</script>) into every input field and search bar in your app, then check if it executes. Try variations like event handlers (onload, onerror) in image tags and SVG elements. AI-generated code frequently renders user input without sanitization, especially in features added later in development.

Check stored XSS by entering a script payload in one place (like a profile name or comment) and seeing if it executes when other users view that content. Also test reflected XSS by manipulating URL parameters — many vibecoded apps display query parameters directly in the page without escaping.

Log in as a regular user and try to access admin pages by navigating directly to their URLs. AI-generated apps often check permissions in the navigation menu but not on the actual page or API endpoint, meaning anyone who guesses the URL can access admin features.

Test horizontal access control by trying to access another user's data. Change user IDs in URLs, API requests, and hidden form fields. For example, if your profile is at /users/123/settings, try /users/124/settings while logged in as user 123. This is one of the most common and most dangerous vulnerabilities in vibecoded apps.

Test for SQL injection by entering SQL fragments (like ' OR 1=1 --) into input fields and URL parameters. While ORMs typically prevent basic SQL injection, AI-generated code sometimes includes raw queries for complex operations. Also test for NoSQL injection if you use MongoDB — payloads like {"$gt": ""} in JSON inputs can bypass authentication.

Test CSRF by crafting a simple HTML form on a different domain that submits to your app's API. If the action succeeds without the user's knowledge, your app lacks CSRF protection. AI-generated apps using cookie-based authentication without CSRF tokens are vulnerable. Check that all state-changing operations (POST, PUT, DELETE) require a CSRF token or use SameSite cookies.