DevTools and curl enough for most manual testing. Test staging, not prod.
Auth testing
Default creds: Try admin/admin, admin/password on login and admin panels.
Username enumeration: Different error messages for valid vs invalid users?
Brute force: 50 failed attempts - any lock or rate limit?
Sessions: HttpOnly? Secure? Logout invalidates server-side?
Authz testing
IDOR: Login as User A, access User B's order:
GET /api/orders/1002 # With User A's token - should 403
Vertical: Regular user tries admin endpoints.
Mass assignment: {"role": "admin"} in update request accepted?
Injection
SQLi: ' OR '1'='1 - different response?
XSS: <script>alert(1)</script> reflected?
SSRF: http://169.254.169.254/ in URL fields.
File upload
Upload .php, double extensions, path traversal filename, oversized files.
Automated
docker run -t zaproxy/zap-stable zap-baseline.py -t https://staging.example.com
nuclei -u https://staging.example.com -severity medium,high,critical
Methodology
Map → Auth → Authz → Injection → Upload → Business logic → Automate → Report
The takeaway
Test auth (brute force, sessions). Test authz (IDOR, escalation). Test injection on every input. Document with repro steps, impact, fix.