# Methodology

#### What are the functionalities?

**a) Authentication**

* **Auth attacks (Intruder)**:
  * Response differences
  * Enumerating valid accounts
  * Time-based indicators
* **OAuth**:
  * Study the flow
  * Look for vulnerabilities
* **Password reset**:
  * Exploit server using the Host header
  * Additional headers
  * Host header injection bypasses

**b) Search function / Advanced search**

* **XSS**: May be linked to **CSRF**
* **SQLi**: Less common in basic searches, more frequent in advanced search features

**c) Viewing blog posts**

* **LFI**: If only viewing posts is allowed, look for requests that include files and attempt to traverse the file path

**d) Commenting on blog posts**

* **XSS**: In the comment text, website field, or other user inputs
* **File upload**: If file uploads are possible

**e) Category filter**

* **SQLi**: In the `?category=` parameter

**f) Check stock function**

* **XXE**: Depending on the data input method, even with POST requests containing data and parameters
* **XSS**: There may be XSS vectors
* **SQLi**: Often linked to XML

**g) Update e-mail**

* **CSRF**: Analyze cookies for CSRF protections

**h) Submit feedback**

* **OS Command Injection**: Commonly found in the email parameter

**i) View details function, or other visible templates**

* **SSTI**: Use DOM Invader to identify potential vectors

**j) API calls, JavaScript files pointing to APIs, POST with JSONs**

* **IDOR**: Modifying the returned data
* **API vulnerabilities**
* **GraphQL vulnerabilities**: Learn to work with GraphQL using Burp Suite to ease the analysis

**k) Live chat**

* **XSS**: Injecting JavaScript code, manipulating the handshake
* **CSRF**

***

#### 2. Missing functionalities?

* **Cookies, JWT, serialized objects**
* **Cache response headers and poisoning**
* **SSRF**: Using Referer or other headers (e.g., `X-Forwarded-Host`)
* **Tracking cookie, blind SQLi**
* **HTTP request smuggling**: Use the HTTP Request Smuggler extension — a must-have
* **DOM-based, reflected input**: Use DOM Invader with Burp Browser
* **Access Control headers**: Check **CORS**
* **CSRF**: In various forms