Cross-Site Scripting (XSS)

Reflected XSS:

• Look for parameters and user inputs that are reflected back in the page without proper encoding.
• Use fuzzing with a list of XSS payloads to test how inputs are sanitized.

Stored XSS:

• Test all inputs that could be stored and displayed to other users (comments, profiles, etc.).
• Pay special attention to rich-text fields which may allow HTML content.

DOM-based XSS:

• Investigate client-side scripts to identify points where user-supplied input may modify the DOM.
• Use tools like browser development tools to track how JavaScript manipulates user input.

Cross-Site Request Forgery (CSRF)

Simple CSRF:

• Check for forms and state-changing requests that do not have CSRF tokens or other anti-CSRF mechanisms.
• Attempt to craft malicious requests that could be sent from an attacker-controlled site.

SQL Injection

Basic SQL Injection:

• Input classic payloads like ' OR '1'='1 to see if inputs are directly placed into SQL queries.
• Observe error messages for hints about the database structure.

Blind SQL Injection:

• Use time-based techniques to infer data, such as adding SLEEP(5) commands and seeing if the page response is delayed.
• Employ automated tools like SQLmap for systematic testing.

File Inclusion Vulnerabilities

Local File Inclusion (LFI):

• Test file parameters with local paths (../../etc/passwd) to read local files.
• Look for scripts that include files based on user input without proper sanitization.

Remote File Inclusion (RFI):

• Where input is used to construct file URLs, attempt to replace these with external URLs to your own server.

Insecure Direct Object References (IDOR)

IDOR:

• Try changing parameters like user IDs in the URL or hidden fields to access data belonging to other users.
• Test incrementing numerical IDs or substituting filenames to access unauthorized data.

Security Misconfiguration

Directory Listing:

• Check if directory listing is enabled by accessing directories directly.
• Look for backup files or directories that are not meant to be public.

Unprotected Files and Directories:

• Enumerate common directory and file names to discover unprotected resources.

Default Credentials:

• Try logging in with default username/password combinations for common software.

Sensitive Data Exposure

Weak Encryption:

• Look for data transmission over HTTP or weak encryption methods.
• Check password reset functionalities and how they handle user information.

Improperly Protected Credentials and Session Tokens:

• Check for hard-coded credentials in client-side code.
• Test for session tokens that don't expire or aren't properly protected with secure flags.

XML External Entity (XXE) Injection

Basic XXE:

• Where applications parse XML, try to introduce DOCTYPE elements that define external entities containing file URIs.
• Test error messages for information leakage that might confirm the XXE.

Broken Authentication and Session Management

Session Hijacking:

• Look for cookies that are not protected with Secure and HttpOnly flags.
• Test session invalidation during logout and password change operations.

Credential Stuffing:

• Where rate limiting is not in place, check how the application handles automated login attempts with known email/password combinations.

Server-Side Request Forgery (SSRF)

Basic Internal Network Probing:

• Use payloads that call back to your server (http://yourserver.com) to see if the application fetches external resources.
• Attempt to access internal IP addresses (http://127.0.0.1, http://192.168.x.x) through the vulnerable application.

Exploitation of Poorly Secured HTTP Clients:

• Test different schema like file://, dict://, ftp:// to access local resources or make unexpected protocol requests.