- What stack/languages are used?
- What server is running the application?
- Is there a WAF?
- What additional libraries are used? Are there known exploits for these libraries? Custom JS Llbraries?
- Is there Authentication?
- Username
- OAuth
- OAuth w/ OpenID Connect
- SSO
- MFA
- Reset Password
- OTP
- What Objects are used?
- How is session established? ~ Cookie? ~ Bearer Token? ~ JWT? ~ Is it serialized? (Java, PHP, .NET, Python)
- Are there useful comments?
- How does it handle special characters?
- Can you trigger any error messages? ~ Send malicious characters to every parameter - Emojis - List of naughty strings (SecLists) ~ Change parameters to array EX: http://example.com/search.php?q[]=test
- What common features are present? ~ Edit Profile ~ Email/Messaging ~ File Upload ~ Shopping/Checkout ~ Webhook ~ Flight/Hotel Booking ~ Banking
- How is a user identified?
- Are there multiple user roles?
- Is there an API?
- Is there an Content Management System?
- Is there a Content Security Policy?
- Is CORS implemented?
- Is Captcha used?
- Are WebSockets used?
- Is the source code publicly available?
- What ports are open?
- What services are running on those ports?
- Is it hosted in the cloud?
- Check org's ASN #'s
- Check IP against known AWS/Azure IP ranges
- Is it hosting multiple apps using VHosting?
- What is the OS?
- Can you get the kernel version?
- What part of CRUD?
- What HTTP request methods can be used? (GET/POST/PUT/DELETE/etc.)
- What parameters can be used?
- Open Redirect?
- If yes: ~ Can you redirect to different paths? ~ Can you redirect to different subdomains? ~ Can you redirect to different domains?
- Reflected user controlled data?
- If yes: ~ HTMLi? ~ XSS? ~ SSTI?
- CSRF? If yes: ~ What can we do with this endpoint? ~ Is this endpoint an open redirect?
- Change HTTP Verb? If yes: ~ Does the endpoint work the same way when the verb is changed? ~ Are any parameters rejected?