Web Applications

Widest attack surface and deepest section of this playbook. Organized by category rather than alphabetically because the categories reflect how you actually think about testing. You test authentication as a system, not individual bugs in isolation.

Authentication

How users prove who they are. Every auth implementation is custom in ways that matter.

• Login Bypass Patterns- Password Reset Flows- OAuth Misconfigurations- SSO & SAML Attacks- MFA Bypass- Session Management

Authorization

How the app decides what you're allowed to do. Most consistently rewarded bug class in my experience.

• IDOR Patterns- BOLA & BFLA- Privilege Escalation- Multi-Tenancy Bugs

Injection

Putting data where the application expects instructions.

• XSS - Reflected, stored, DOM, mXSS, framework-specific, WAF bypass
• SQL Injection - Error-based, blind, second-order, ORM-specific- Server-Side Template Injection- Host Header Injection- NoSQL Injection

SSRF

Making the server send requests on your behalf. Gateway to cloud metadata and internal networks.

• SSRF - Full methodology, bypass techniques, blind SSRF, cloud exploitation

Client-Side

Bugs that execute in the user's browser.

• CSRF- postMessage Vulnerabilities - Full methodology, origin bypass, widget exploitation
• CORS Misconfigurations- WebSocket Security- Subdomain Takeover- Clickjacking

Business Logic

The bugs no scanner will ever find.

• Race Conditions- Price & Quantity Manipulation- State Machine Bugs- Mass Assignment

Infrastructure

Server and proxy layer misconfigurations.

• Cache Poisoning- HTTP Request Smuggling- Open Redirect