Approach:

There are a few fields controllable by the client:

• Parameters in URL
• Parameters in post body
• HTTP Headers
• HTTP Header contents

see also OWASP Attack Vector Analysis

Attack References

portswigger academy
OWASP vulnerabilitis OWASP attacks

Guide references

OWASP WSTG

Mitigation References

OWASP controls
OWASP Cheatsheets

moar references

• pentest book
• hacktricks
• hacktricks web

---

Table of contents

• Access Control
• Authentication
• Business Logic
• Clickjacking
• Command Injection
• Cross Origin Resource Sharing (CORS)
• Cross Site Request Forgery
• Deserialisation
• Directory traversal
• Extra
• File Upload
• HTTP Request Smuggling
• Host Header Attacks
• Information Disclosure
• SQLI
• SSRF
• Server Side Template Injection
• Web Cache Poisoning
• Websockets
• XSS
• XXE

---