Feature Testing Checklist

Test these feature areas on every program. Each has common recurring vulnerabilities.

• What info is required? Where is it reflected after signup?
• What characters are allowed? < > “ '\ in name fields?
• Can you sign up with @target.com email – blacklisted?
• Revisit register page while authenticated – redirect parameter?
• Check page source and JS files for hidden parameters
• Dork: site:example.com inurl:register inurl:&
• Mobile signup – different codebase? Different filtering?
• myemail%00@email.com – null byte truncation to real account?

• Redirect parameter? Try returnUrl, goto, return_url, back, returnTo
• Login with myemail%00@email.com – truncation to real email?
• Social media login – check OAuth flow for token leaks
• Mobile vs desktop login flow
• Host header injection in password reset – Host: evil.com
• IDOR in reset flow: try injecting ID parameter
• Rate limiting? (check program policy before testing)

• CSRF protection on profile updates? Test blank/modified tokens
• < > ” '\ handling – where are characters reflected?
• Mobile app updates vs desktop – different filtering?
• Photo/video upload – where stored? Same domain? CDN?
• Is second confirmation required for email/password change?
• Can you update without entering current password?

• Where is the API hosted? AWS = try metadata endpoint
• Webhooks available? = SSRF target
• Can you create your own app? Are permissions enforced?
• API docs/wiki – reveals endpoints, token format, keywords for wordlists
• GraphQL? Introspection enabled? {__schema{types{name}}}
• Test every endpoint with all HTTP methods: GET, POST, PUT, DELETE, PATCH

• Map all features top-down before attacking
• Same features on mobile vs desktop?
• Paid vs free accounts – can free access paid features?
• Oldest features – old code = bugs
• New/upcoming features – check JS files, Twitter, newsletters
• Privacy settings – do they actually enforce on server side?
• Permission levels: admin, mod, user, guest – test each level

• Access paid features without paying?
• Payment info visible in DOM? Chain XSS to leak it
• Different country payment options – sandbox credit card not blocked?
• Negative quantities, modified prices in request body
• Race conditions on payment/coupon processing

• XSS Testing
• CSRF Testing
• IDOR Testing
• Auth & Session Bugs
• Business Logic
• Methodology Index