Severity levels
Every detected issue is assigned a severity level:Critical
Immediate exploitation risk or user-blocking defect. Address before deployment.
High
Significant security exposure or serious accessibility barrier. High priority.
Medium
Notable risk or usability degradation. Should be addressed in the current sprint.
Low
Minor issue or best-practice deviation. Address when bandwidth allows.
Security issues
Security issues are detected by the Security Agent and mapped to OWASP and industry-standard vulnerability categories.| Category | Issues | Max Severity |
|---|---|---|
| Access Control | Unauthenticated access, privilege escalation, forced browsing, method bypass | Critical |
| Authentication | Default credentials, password spraying, rate limiting, weak passwords | Critical |
| Session Management | Session ID in URL, weak tokens, missing HttpOnly flag | Critical |
| Injection | XSS, SQL/NoSQL injection, ORM parameter extraction | High |
| Cryptography | Unencrypted pages, weak hashing, misconfigured headers, CORS, exposed secrets | Critical |
| Information Disclosure | Exposed files, server version leakage, verbose error pages, console logging | Critical |
| Input Validation | Unvalidated input fields | Low |
Quality issues
Quality issues are detected by the Quality Agent and focus on WCAG 2.1 accessibility compliance and general UX best practices.| Category | Issues | Max Severity |
|---|---|---|
| Accessibility | Keyboard navigation, screen reader support, color contrast, text size | High |
| Forms | Labels, error messages, required field indicators | Critical |
| Navigation | Link clarity, navigation consistency, destructive action confirmation | Critical |
| Responsive Design | Touch targets, horizontal overflow, missing page titles | High |
How detection works
QAOS uses three detection methods:Deterministic handlers
Fast, code-based checks that analyze the raw DOM, cookies, HTTP response headers, or JavaScript source for specific patterns. Examples: checking the
HttpOnly flag on session cookies, scanning scripts for Math.random() used as a token generator.LLM evaluation
The agent sends page state (DOM, screenshot, accessibility tree) to an LLM with a structured prompt asking it to evaluate the page against specific issue definitions. This catches context-dependent issues that code patterns alone can’t detect.