Always obtain both API tokens (Bearer) and web session cookies — apps often have two parallel auth surfaces with different vulnerabilities
CRITICAL: Do NOT assume an endpoint is inaccessible based on one variant failing. Many apps expose BOTH web form AND REST API variants of the same operation (e.g., /admin/export/{resource} web form + /api/v1/{resource}/export REST API). Parameter location may differ: web form uses POST body, API uses query string (?param=). Access control may differ: web form returns 302/405, API returns 200 OK. Always test BOTH variants. (Pattern: export/bulk CMDi often hidden on web form variant, exposed on API variant)
Inline <script> blocks in server-rendered pages contain DOM XSS sinks invisible to standalone JS file analysis
Test sort, order_by, filename, template params — not just q, search, id
Hidden flags (?debug=1, ?advanced=1, ?force=1) unlock unsafe behavior on many endpoints
Stored XSS is verifiable via curl: POST payload → GET rendered page → grep for unescaped HTML
Content-Type switching (JSON → form-urlencoded → XML) bypasses input validation on the same endpoint
Export/bulk CMDi: Filename and format parameters passed to shell commands (zip, tar, convert, cat). Test BOTH POST body (web form) and query string (API REST) variants. Test ALL 6 metacharacter variants (;sleep, |sleep, $(sleep), `sleep`, newline, &&sleep). Timing detection is mandatory even on generic error responses (no output = not vulnerable is FALSE)
Test logout and session fixation on EACH auth system independently (API tokens ≠ web sessions)
Session fixation: check if session ID changes after login
Rate limiting: send 20+ failed logins — many apps have no limit on the web login form
Webhook/callback SSRF: Requires POST method + Bearer token auth + Accept: application/json header (prevents 302 redirect to login). Body: {"url": "http://..."} in Content-Type: application/json. Many webhook endpoints fail silently without proper headers (returns 302 to login form instead of error)