In practice, you're unlikely to be charged for good-faith testing of someone else's system without their permission, especially if you're not an idiot and you don't ransom off your findings to the company. Also, many sites explicitly offer permission to security researchers to test their sites.

However, I believe it remains black-letter illegal to "test" websites for security flaws in such a way where you actually exploit flaws and gain access to internals or sensitive data.

Either way, don't do it. If you don't have permission (Google, for instance, gives blanket permission for testing), don't fuck with other people's web apps. It's very difficult to ensure that any kind of security testing, outside of really basic stuff like CSRF, won't disrupt the site; even silly XSS vectors can get cached in backends and replayed to other customers. You're unlikely to pick up a felony charge for doing this, but you can be sued.