Methodology

What are the functionalities?

a) Authentication

• Auth attacks (Intruder):

  • Response differences

  • Enumerating valid accounts

  • Time-based indicators

• OAuth:

  • Study the flow

  • Look for vulnerabilities

• Password reset:

  • Exploit server using the Host header

  • Additional headers

  • Host header injection bypasses

b) Search function / Advanced search

• XSS: May be linked to CSRF

• SQLi: Less common in basic searches, more frequent in advanced search features

c) Viewing blog posts

• LFI: If only viewing posts is allowed, look for requests that include files and attempt to traverse the file path

d) Commenting on blog posts

• XSS: In the comment text, website field, or other user inputs

• File upload: If file uploads are possible

e) Category filter

• SQLi: In the ?category= parameter

f) Check stock function

• XXE: Depending on the data input method, even with POST requests containing data and parameters

• XSS: There may be XSS vectors

• SQLi: Often linked to XML

g) Update e-mail

• CSRF: Analyze cookies for CSRF protections

h) Submit feedback

• OS Command Injection: Commonly found in the email parameter

i) View details function, or other visible templates

• SSTI: Use DOM Invader to identify potential vectors

j) API calls, JavaScript files pointing to APIs, POST with JSONs

• IDOR: Modifying the returned data

• API vulnerabilities

• GraphQL vulnerabilities: Learn to work with GraphQL using Burp Suite to ease the analysis

k) Live chat

• XSS: Injecting JavaScript code, manipulating the handshake

• CSRF

---

2. Missing functionalities?

• Cookies, JWT, serialized objects

• Cache response headers and poisoning

• SSRF: Using Referer or other headers (e.g., X-Forwarded-Host)

• Tracking cookie, blind SQLi

• HTTP request smuggling: Use the HTTP Request Smuggler extension — a must-have

• DOM-based, reflected input: Use DOM Invader with Burp Browser

• Access Control headers: Check CORS

• CSRF: In various forms