- Fuzz the Application - Use testssl.sh to look for SSL issues and Vulnerabilities - Run Nikto & Nuclei, Dirsearch.py, BlackWidow on the target - Check if the appliation using AngularJS - Look for the version and its vulnerabilities - Check for Content Security Policy - Check for Cross Origin Resource Sharing - Change the Origin header domain and see if its reflected on the response or not - Origin: somerandomdomain.com - Add Multiple Origin Headers and see the response - Add Port, Special chars, null strings to it and observe the changes - Look for Host Header Injection Attacks - Add extra host header - Add X-Forwarded-For: somerandomdomain.com header and see if its being reflected or not - Look for Cached responses (Filter tfor the keyword "Cache" in Burp HTTP history), Web Cache Poisoning might be possible possible - Check if httonly and Secure flags are added in the cookie or not & HSTS - Check if .git exists and see if you can use https://git