My methodology for testing web application security follows a systematic flow that combines tools and techniques to maximize vulnerability detection. Below, I detail the steps I follow, explaining the purpose of each one: 
1. Environment preparation.
I create a directory with the name of the target (e.g., the domain of the page). This helps me to organize the results and keep proper control over each test. 
2. Initial recognition  
I use tools such as http://crt.sh, VirusTotal and Chaos (Project Discovery) to gather public information about the domain, including certificates, known subdomains and other details. At Censys, I research the technology used by the target (server, CMS, frameworks, etc.), which can help identify possible attack vectors.  
3. Subdomain enumeration 
I run Subfinder and Assetfinder to identify subdomains related to the target domain: sudo subfinder -d url -all &amp;gt; subdomain.txt sudo assetfinder -subs-only url &amp;gt; subdomain1.txt I combine the results to get a single list of subdomains: sort -u subdomain.txt subdomain1.txt &amp;gt; mainsubdomain.txt 
4. Filtering of live subdomains 
I use httpx to identify which of the subdomains are live: cat mainsubdomain.txt | sudo httpx &amp;gt; alive_subdomain.txt 
5 HTTP status code analysis 
I check the status codes of live subdomains: cat alive_subdomain.txt | sudo httpx -sc &amp;gt; alive_domain_code.txt I filter responses with code 200 (OK), as they indicate accessible and potentially exploitable subdomains: cat alive_domain_code.txt | grep "200" 
6. URL extraction and crawling 
I use Katana to perform deep crawling of the active subdomains, excluding irrelevant extensions (woff, css, images, etc.) and generating a file with all the URLs found: sudo katana -u url -d 5 -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg -o allurls.txt 
7. Directory and parameter specific tests 
I access specific URLs and test for common vulnerabilities, such as: Path Traversal (e.g., trying to access /etc/passwd). I extract URLs with parameters (=*) from allurls.txt and test for XSS vulnerabilities using Dalfox: dalfox file urls_with_params.txt -p xss-payload-list.txt --silence --output results.txt -w 150 
8. SQL injection testing 
I use SQLmap to check for SQL injection vulnerabilities in URLs with parameters: sqlmap -u url --dbs sqlmap -u url -D namedb --columns sqlmap -u url -D namedb --tables sqlmap -u url -D namedb -T account --columns sqlmap -u url -D namedb -T account -C email --dump 
9. Additional research 
I perform manual Google searches to identify potential entry points, using dorks such as: inurl:url intext:login