Find a parameter that uses an active account user ID. Try to tamper with it in order to change the details of the other accounts
Create a list of features that are pertaining to a user account only. Change Email Change Password -Change account details (Name, Number, Address, etc.) Try CSRF
Post login change email ID and update with any existing email ID. Check if it's getting validated on the server side or not. Does the application send any new email confirmation link to a new user or not? What if a user does not confirm the link in some time frame?
Open the profile picture in a new tab and check the URL. Find email ID/user ID info. EXIF Geolocation Data Not Stripped From Uploaded Images.
Check the account deletion option if the application provides it and confirm that via the forgot password feature
Change email ID, account ID, and user ID parameters and try to brute force other users' password
Check whether the application re-authenticates for performing sensitive operations for post authentication features
Last updated 2 years ago
