====== Feature Testing Checklist ======

Test these feature areas on every program. Each has common recurring vulnerabilities.

===== Registration =====

  * What info is required? Where is it reflected after signup?
  * What characters are allowed? ''< > " '\'' in name fields?
  * Can you sign up with ''@target.com'' email -- blacklisted?
  * Revisit register page while authenticated -- redirect parameter?
  * Check page source and JS files for hidden parameters
  * Dork: ''site:example.com inurl:register inurl:&''
  * Mobile signup -- different codebase? Different filtering?
  * ''myemail%00@email.com'' -- null byte truncation to real account?

===== Login & Password Reset =====

  * Redirect parameter? Try ''returnUrl'', ''goto'', ''return_url'', ''back'', ''returnTo''
  * Login with ''myemail%00@email.com'' -- truncation to real email?
  * Social media login -- check OAuth flow for token leaks
  * Mobile vs desktop login flow
  * **Host header injection** in password reset -- ''Host: evil.com''
  * IDOR in reset flow: try injecting ID parameter
  * Rate limiting? (check program policy before testing)

===== Account Updates =====

  * CSRF protection on profile updates? Test blank/modified tokens
  * ''< > " '\'' handling -- where are characters reflected?
  * Mobile app updates vs desktop -- different filtering?
  * Photo/video upload -- where stored? Same domain? CDN?
  * Is second confirmation required for email/password change?
  * Can you update without entering current password?

===== Developer Tools / API =====

  * Where is the API hosted? AWS = try metadata endpoint
  * Webhooks available? = SSRF target
  * Can you create your own app? Are permissions enforced?
  * API docs/wiki -- reveals endpoints, token format, keywords for wordlists
  * GraphQL? Introspection enabled? ''{__schema{types{name}}}''
  * Test every endpoint with all HTTP methods: GET, POST, PUT, DELETE, PATCH

===== Main Site Features =====

  * Map all features top-down before attacking
  * Same features on mobile vs desktop?
  * Paid vs free accounts -- can free access paid features?
  * **Oldest features** -- old code = bugs
  * New/upcoming features -- check JS files, Twitter, newsletters
  * Privacy settings -- do they actually enforce on server side?
  * Permission levels: admin, mod, user, guest -- test each level

===== Payment Features =====

  * Access paid features without paying?
  * Payment info visible in DOM? Chain XSS to leak it
  * Different country payment options -- sandbox credit card not blocked?
  * Negative quantities, modified prices in request body
  * Race conditions on payment/coupon processing

===== See Also =====

  * [[zseano:xss|XSS Testing]]
  * [[zseano:csrf|CSRF Testing]]
  * [[zseano:idor|IDOR Testing]]
  * [[zseano:auth_session|Auth & Session Bugs]]
  * [[zseano:logic_bugs|Business Logic]]
  * [[zseano:start|Methodology Index]]