Basic Methodology

First, check this video out: How to Shot Web: Pentester Methodology

Now, here's my basic methodology... It's over simplified for hard stuff, but is very useful for someone who is doing basic web things.

Step 1: Open up Chrome Dev Tools

Step 2: Use the site as intended

Step 3: See what happens.

While playing around, check out these basic tips for finding weirdness.

Dummy Stuff

Find all login pages
- Many bugs, however complicated their root cause might be, display themselves as a normal user having powers that were meant only for admin
- Generally, anything that "admin" is the only group allowed to do that "user" has access to is considered bad. Test everything, attack admin functionality as a normally priv'd user.
- If you see the word admin, you're probably on the right track.
- Also, always try admin:admin on everything you touch.
- As a near general rule, you will not bruteforce logins during CTFs, so don't do it without permission from organizers. If you are bruteforcing, you are likely wrong.
Find all upload/content send mechanisms
View source of pages
Check out cookies (base 64/ plaintext)
- The most common way sessions are maintained is with cookies.
- Always check the cookies on a web page, either with a cookie editing tool or using browser DevTools
- Cookies can be (Will be) encoded so don't be discouraged if they are random alphanumerics, always make sure to check Base64 and other common encodings.
Look at URLs
- If the URL looks like it has a number at the end, try incrementing the number.
- If the URL has your username at the end, change the username.
Look for Robots.txt

Nmap -A
- Services on weird ports are common
Dirbust for 2 minutes if nothing against it.
- Admin panels might pop up
Vuln scan with Nikto. If you have a real commercial one, hit it, but you probably won't find anything. CTF challenges aren't supposed to be solved by a scanner.

Fake it from there.