Find subdomains, Ip blocks, email addresses, the harvester is a nice tool. I.e: python theHarvester.py -d example.org -n -c -t -b google
There is a nice collection of OSINT tools at http://osintframework.com/, feed the harvester results there and recurse.
Find services, Banners and versions. Research CVEs and exploit-db for those.
Find newest features, and forgotten endpoints at https://web-beta.archive.org
$ dig guif.re <type> @18.104.22.168 # types: a, mx, ns, soa, srv, txt, axfr
$ dig -x guif.re # reverse lookup
Map their infrastructure: middleware, programming languages, backends, servies. This can help https://wappalyzer.com/
Find hidden folders, files. Nice list for fuzzing content discovery: https://c.darenet.org/nitemare/SecLists/tree/master/Discovery/Web_Content
$ dirb http://target wordlists/dirb/common.txt
$ nikto –host http://target
Spider/map all the functionalities of the application, discover hidden & default content, doing automateda and manual crawling.
Identify data entry points, technologies used. What does the application do? How does it do it? Map attack surface, dangerous functionalities, how they are implemented. Versions of the libraries, frameworks and known CVEs.
Use Shodan for finding similar apps and endpoints, SSH hash keys
Find previous vulnerabilities of the web site. Recon-ng is a useful tool; use recon/domains-vulnerabilities/xssposed; set source example.org; run
Run automated scanning against web app, Burp, nikito and dirb.
Find parameters being reflected, test for XSS, open redirection, header injection, etc
Parsing of XML, JSON, or any other markup language that the application processes. Test for injection attacks, SSRF, xpath, XXE, insecure object de-references.
Look for parameters encoded in base64 or others, test again for injection attacks and insecure object de-references.
Test any client side applet such as flash, activex and silverlight.
Ensure anti-CSRF mitigations are in place for main functionalities and clickjacking mitigations.
If there is a binary, and runs as root, it should use https only and verify checksum or singed check with public key
basic auth brute force : $ nmap -d -vv -p 80 --script http-brute --script-args http-brute.path=/ www.example.org
SSL connection : $ openssl s_client -connect guif.re:443
Basic SSL ciphers check : $ nmap --script ssl-enum-ciphers -p 443 guif.re
Look for unsafe ciphers such as Triple-DES and Blowfish
Very complete tool for SSL auditing is testssl.sh, finds BEAST, FREAK, POODLE, heart bleed, etc...
Test CORs policy
File uploads. SVG can have embedded XML that triggers SSRF, XXE.
Numeric and quoted SQLI, RCE, etc..
Security headers xss-protection, http-sts
Password quality rules, length, character set allowed (alphanumeric, upper/lower case and special characters). Empty Password? Empty username? 123456?
Test username enumeration
Test account recovery functionality, look for SMTP header injection.
Does remember me expires?
Session tokens strength
Test for session fixation.
Test removing your email address from your account, add a new one, make sure that the old one can not be used to recover password/log in.
Delete an account without entering password or other sensitive operations, in case you forgot your computer logged in.
Password bruteforcing resilience. Application locks after some attempts?
Rate limiting in change password functionalithy, forgot to log out in a cyber cafe, brute force the actual password using this feature.
Email verification links through http
Cookies: scope, httponly, secure flag.
Broken OAuth authentication, make sure ID tokens generated by google or third party are properly validated on the backend. https://developers.google.com/identity/sign-in/web/backend-auth#verify-the-integrity-of-the-id-token
Other strange access control methods such as referral validation (which can be bypassed https://t.co/z84ajd7bmO)