Exploration
-
Analyse source code of the pages: landing page should always
be analysed and all appearances of
script,location.href,window.locationand commented code scrutinized. -
Note down pages and interesting functionality (examples
below):
- test reflected on the page -> candidate for XSS and template injection.
- login form -> test for injection and brute force protection.
- JWT tokens -> try to mess with it.
- cart -> test for broken logic and race conditions.
- purchase history -> test for IDOR.
- verified accounts -> compare functionality for verified and unverified accounts.
- To compare verified and unverified accounts you can navigate through the site in Firefox using the Multi-account containers extension.