====== Auxiliary ======

===== The vulns formerly known as "noise" =====

  * Content Spoofing or HTML injection
  * Referer leakage
  * security headers
  * path disclosure
  * clickjacking
  * ++

===== How to test a web app in n minutes =====

How can you get maximum results within a given time window?

===== Data Driven Assessment (diminishing return FTW) =====

  - Visit the search, registration, contact, password reset, and comment forms and hit them with your polyglot strings
  - Scan those specific functions with Burp's built-in scanner
  - Check your cookie, log out, check cookie, log in, check cookie. Submit old cookie, see if access.
  - Perform user enumeration checks on login, registration, and password reset.
  - Do a reset and see if; the password comes plaintext, uses a URL based token, is predictable, can be used multiple times, or logs you in automatically
  - Find numeric account identifiers anywhere in URLs and rotate them for context change
  - Find the security-sensitive function(s) or files and see if vulnerable to non-auth browsing (idors), lower-auth browsing, CSRF, CSRF protection bypass, and see if they can be done over HTTP.
  - Directory brute for top short list on SecLists
  - Check upload functions for alternate file types that can execute code (xss or php/etc/etc)