Enumarate Subdomain - passive (subfinder or Sub-Drill) Subdomain bruteforce - active (amaas or knockpy with wordlist) Permute subdomains with gotator check subdomain takeover (nuclie-takeover) Check for cloud asset (cloud_enum) get all ips from shodan and censys Identify alive subdomains with httpx techcnologys,status,servers..etc Take screenshots

Identify web server, technologies and database and clssifiy httpx reuslts Try to locate /robots.txt , /crossdomain.xml , /clientaccesspolicy.xml , /sitemap.xml and , /.well-known/ Directory enumration (ffuf and worldlsits search for heddin dirs) Review comments on source code (Burp Engagement Tools) githubDork _leaks,apiKeys,mails,usernames,passwors,db(gitdorkgo) Identify WAF Get urls (gauplus ,waybackurls,paramspider) Automatic XSS finder (kxss ,dalfox) Locate admin and login panels Broken link hijacking(blc tool) Get all JS files(subjs,xlinkFinder)) JS hardcoded APIs and secrets(nuclie-tokens) JS analysis(getJSword) Run automated scanner(nuclie) Test CORS (CORScanner,crosy)

Open ports with (shodan smap, nmap ) Check UDP ports service scan for open ports (smb,ftb,ssh,rdp)scriptscan and bruteforce

Fuzz all request parameters (if got user, add headers to fuzzer) Identify all reflected data and try rxss HTTP headr injection in GET & POST (X Forwarded Host) RCE via Referer Header SQL injection and blind xxs via User-Agent Header xsshunter Arbitrary redirection on path ///.evil.com/ or after login Stored attacks xss in uname any stored parameters OS command injection Path Traversal rfi or lfi (fimap) Script injection (php asp) SMTP injection SOAP injection LDAP injection SSI Injection Sqli in params login injection with ' and '--+- HTTP requist Smuggling (loop all urls in smuggler.py ) SSRF in previously discovered open ports (ffuf,ssrf.py) XPath injection xmlrpc.php DOS and user enumeration HTTP methods OPTIONS ,PUT ,DELETE may lead to rce Try to discover hidden parameters(arjun) in any request, change content-type to text/xml test File Uploads (svg for xxs ,php,asp for rce) Test that acceptable file types are whitelisted -Test that file size limits, upload frequency and total file counts are defined and are enforced Test that file contents match the defined file type and filenames are sanitised Test that uploaded files are not directly accessible within the web root

Access custom pages like /whatever_fake.php (.aspx,.html,.etc) Add multiple parameters in GET and POST request using different values Add "[]", "]]", and "[[" in cookie values and parameter values to create errors Generate error by giving input as "/~randomthing/%s" at the end of URL Use Burp Intruder "Fuzzing Full" List in input to generate error codes Try different HTTP Verbs like PATCH, DEBUG or wrong like FAKE

Duplicate registration (try with uppercase, spaces,+1@..., dots in name, etc) Overwrite existing user (existing user takeover) Long password (>200) leads to DoS TCorrupt authentication and session defects: Sign up, don't verify, request change password, change, check if account is active Try to re-register repeating same request with same password and different password too If JSON request, add comma {“email”:“victim@mail.com”,”hacker@mail.com”,“token”:”xxxxxxxxxx”} Lack of confirmation -> try to register with company email Check OAuth with social media registration and Check state parameter on social media registration Check redirections in register page after login Rate limit on account creation XSS on name ,email or addres or any data Email attacks XSS(<script src=//xsshere?"@email.com),Template injection,SQLi,ssrf(john.doe@abc123.burpcollab)

Username enumeration Account recovery function Remember me" function Fail-open conditions Auto-complete testing Lack of password confirmation on change email, password or 2FA (try change response) Weak login function over HTTP and HTTPS if both are available User account lockout mechanism on brute force attack Check Oauth for open redirection Test password change process Test for logout functionality presence In OTP check guessable codes and race conditions OTP, check response manipulation for bypass OTP, try bruteforce if JWT check common flows After register, logout, clean cache, go to home page and paste your profile url in browser, check for "login?next=accounts/profile" for open redirect or XSS with "/login?next=javascript:alert(1);//" Try login with common credentials OTP, try bruteforce

Invalidate session on Logout and Password reset Uniqueness of forget password reset link/code Remember me" function Reset links expiration time Find user id or other sensitive fields in reset link and tamper them Request 2 reset passwords links and use the older Check if many requests have sequential tokens Use username@burp_collab.net and analyze the callback Host header injection for token leakage Add X-Forwarded-Host: evil.com to receive the reset link with evil.com Email crafting like victim@gmail.com@target.com User carbon copy email=victim@mail.com%0a%0dcc:hacker@mail.com No rate limit, capture request and send over 1000 times Check encryption in reset password token Token leak in referer header After register, logout, clean cache, go to home page and paste your profile url in browser, check for "login?next=accounts/profile" for open redirect or XSS with "/login?next=javascript:alert(1);//" Try login with common credentials OTP, try bruteforce

Find parameter with user id and try to tamper in order to get the details of other users Create a list of features that are pertaining to a user account only and try CSRF Change email id and update with any existing email id. Check if its getting validated on server or not Reset links expiration time Check any new email confirmation link and what if user doesn't confirm. File upload No Size Limit, File extension, Filter Bypass (burp uploaderextension,) RCE :) CSV import/export: Command Injection, XSS, macro injections Check profile picture URL and find email id/user info or exif data Imagetragick in picture profile upload Account deletion option and try to reactivate with "Forgot password" feature Email crafting like victim@gmail.com@target.com User carbon copy email=victim@mail.com%0a%0dcc:hacker@mail.com Try bruteforce enumeration when change any user unique parameter. Check encryption in reset password token Token leak in referer header After register, logout, clean cache, go to home page and paste your profile url in browser, check for "login?next=accounts/profile" for open redirect or XSS with "/login?next=javascript:alert(1);//" Try login with common credentials stored xss,profile photo