A parameter file=report.pdf returns files. Changing to ../../../../etc/passwd returns 500. Best next step?
Try traversal encodings and validate path handling safely; check error messages and app language.
LFI suspected. You can read /etc/passwd. What’s the safest next objective?
Confirm controlled file read, then look for log/config files that enable code execution only if allowed.
Upload form accepts images only. You can upload .php but it’s renamed. Next step?
Test storage location, execution prevention, and whether double extensions/content-type checks can be bypassed safely.
Login endpoint returns different error for valid users. What finding is this and what’s next?
User enumeration; document and then test auth protections (lockout/MFA) carefully.
You see id in a REST API path /api/orders/123. Changing ID returns another user’s order. What is this?
IDOR/broken access control; document impact with minimal sensitive data exposure.
A search box shows SQL errors when you enter '. What’s your next step?
Determine injection context and test minimally for UNION/error/blind behavior; aim for safe proof.
Blind SQLi suspected (no errors). What evidence can you use?
Boolean/time-based behavior differences (controlled delays) with minimal requests.
App reflects input in HTML. You suspect XSS. What’s safe OSCP proof?
Show harmless script execution (e.g., alert) in your own session and document affected parameter/page.
A URL fetch feature requests arbitrary URLs. You suspect SSRF. Safest test?
Request a harmless internal endpoint/metadata without extracting secrets; document reachable scope.
You can execute ping via a command injection. What’s next?
Try minimal command execution proof and then aim for a stable shell only if allowed and safe.
Directory traversal lets you read app config that contains DB creds. What should you do?
Use creds to authenticate to DB/app as needed and document chain; minimize data access.
You found a JWT in localStorage with long expiry. What risk and next test?
Token theft equals prolonged access; test signature/alg settings only if authorized; recommend rotation/shorter TTL.
Web app behind reverse proxy shows X-Forwarded-For handling. What security test matters?
Check for auth bypass/IP-trust misconfig (e.g., admin access by spoofed headers).
