List of the main check points that I am trying during any pentesting project
Domain Recon
[ ] Find Subdomains
[ ] Check CNAME Records of Those Subdomains
[ ] Check for SubDomain Takeover
[ ] Use WaybackUrls for URLS
[ ] Use MassScan For Port Scanning
On WebApp -
[ ] Check For CORS Misconfiguration
[ ] Check For Email Header Injection On Reset Password Function.
[ ] Do Github Recon
[ ] Check For SMTP and HOST Header Injection.
[ ] Check For IFRAME (For Clickjacking)
[ ] Check For Improper Access Control and Paramter Tampering.
[ ] Check For XSS and SSTI.
[ ] Check Burp History for finding endpoint.
[ ] Use Arjun for finding hidden endpoints.
[ ] Check For CSRF
[ ] Check For SSRF Parameters.
[ ] Check Cryptography in Reset Password Token.
[ ] Check For Unicode Injection In Email Parameter
[ ] Check For Bypassing Rate Limit Headers :-
[ ] X-Originating-IP:IP
[ ] X-Forwarded-For:IP
[ ] X-Remote-IP:IP
[ ] X-Client-IP:IP
[ ] X-Remote-Addr:IP
[ ] X-Forwarded-Host:IP
[ ] Directory Brute-Force
[ ] Check For HTTP Request Smuggling.
[ ] Check For Open Redirect Through WaybackURLs
[ ] Check For Social-SignOn Bypass
[ ] Check For State Parameter in Social Sign-In & Check Whether it's possible to cause DoS using multiple cookies injection.
[ ] File-Upload CSRF , XSS , SSRF , RCE , LFI , XXE
Guys, please help me with your inputs to make this list complete.