Analyze Requests with Burp Suite
reconchecklist
Summary
Test every function: LFI, SQLi, IDOR, mass assignment, business logic.
Walkthrough
Proxy traffic through Burp and test every parameter and workflow for common web flaws. A hit is any anomalous response, access-control bypass, or injection point worth exploiting further.