- Content Spoofing or HTML injection
- Referer leakage
- security headers
- path disclosure
- clickjacking
- ++
How can you get maximum results within a given time window?
- Visit the search, registration, contact, password reset, and comment forms and hit them with your polyglot strings
- Scan those specific functions with Burp’s built-in scanner
- Check your cookie, log out, check cookie, log in, check cookie. Submit old cookie, see if access.
- Perform user enumeration checks on login, registration, and password reset.
- Do a reset and see if; the password comes plaintext, uses a URL based token, is predictable, can be used multiple times, or logs you in automatically
- Find numeric account identifiers anywhere in URLs and rotate them for context change
- Find the security-sensitive function(s) or files and see if vulnerable to non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection bypass, and see if they can be done over HTTP.
- Directory brute for top short list on SecLists
- Check upload functions for alternate file types that can execute code (xss or php/etc/etc)