This is a personal list of things I have realize we have to verify/enumerate in a website we are analyzing for a Pentesting, a Capture The Flag (CFT) or any hacking challenge:
- Navigate through the page and read content
- Source code
- URL parameters
- Usernames
- robots.txt
- Subfolders
- Enumerate folders and some extensions (.php, .txt, .html)
- Enumerate interesting subfolders
- Verify cookies
- Create new users
- Create account already registered usernames/mails
- Headers
- Check for cmd
- Search for API
- Enumerate VHosts
The previous list in that same order has worked for me to look for vulnerabilities in TryHackMe challenges I have used this method and almost never fails (at least we have to check for it in the enumeration stage), so I consider is the best way to begin with any web analysis.
Once all items are checked (we don’t need to check for every one, just those that are find to be useful depending of the website), with all that information harvested we could find versions of software used in the backend (for example Wappalyzer), and finally search vulnerabilities and potential exploits to get access to the system.