We present Metamorphic Security Testing (MST), a testing automation approach that integrates test input generation strategies inspired by mutational fuzzing and automatically detects vulnerabilities by verifying general relations that should always hold between the outputs produced with valid and mutated inputs. It enables engineers to specify metamorphic relations (MRs) that capture how to modify a valid input as an attacker would do and specify the relation between the outputs of the valid and modified input. We developed a framework that integrates an Eclipse plugin to specify MRs and automatically tests the system. Further, we defined a catalogue of 76 system-agnostic MRs for Web systems that can discover 45% of the vulnerability types concerning the violations of MITRE security design principles. Our empirical results show that MST can detect 85% of the vulnerabilities in Joomla and Jenkins with few false alarms. Ongoing research includes the automated generation of MRs from specification documents by leveraging large language models.