Ovo su neke od metoda koje isprobavamo:

Arbitary File Deletion
Code Execution
Cookie Manipulation ( meta http-equiv & crlf injection )
CRLF Injection ( HTTP response splitting )
Cross Frame Scripting ( XFS )
Cross-Site Scripting ( XSS )
Directory traversal
Email Injection
File inclusion
Full path disclosure
LDAP Injection
PHP code injection
PHP curl_exec() url is controlled by user
PHP invalid data type error message
PHP preg_replace used on user input
PHP unserialize() used on user input
Remote XSL inclusion
Script source code disclosure
Server-Side Includes (SSI) Injection
SQL injection
URL redirection
XPath Injection vulnerability
EXIF
Blind SQL injection (timing)
Blind SQL/XPath injection (many types)
Cross Site Scripting in path
Cross Site Scripting in Referer
Directory permissions ( mostly for IIS )
HTTP Verb Tampering ( HTTP Verb POST & HTTP Verb WVS )
Possible sensitive files
Session fixation ( jsessionid & PHPSESSID session fixation )
Vulnerabilities ( e.g. Apache Tomcat Directory Traversal, ASP.NET error message etc )
WebDAV ( very vulnerable component of IIS servers )
Microsoft IIS WebDAV Authentication Bypass
SQL injection in the authentication header
Application Error Message ( testing with empty, NULL, negative, big hex etc )
Code Execution
SQL Injection
XPath Injection
Blind SQL/XPath injection ( test for numeric,string,number inputs etc )
Stored Cross-Site Scripting ( XSS )
Cross-Site Request Forgery ( CSRF )