Web Applications

Check for SQL Injection

• Check all inputs

• Check all url params

Check for XSS

• Look for any input that is reflected on the page

• Look for any input that is stored and output

Check for Insecure File Uploads

• Look for any file upload areas

Enumerate directories and files

• Gobuster, feroxbuster, and ffuf for directories and files

Grab requests with BurpSuite

• Store any requests that look interesting, login, register, submitting forms, etc.