First thing I do is enumerate all the API endpoints that are being hit, on all pages of the website. I then take a look at the requests themselves, what headers are being sent, the response from the server, etc. I try messing around with these.
Most websites, from what I've seen, always tend to overlook the possibility of CSRF or Cross-Site Request Forgery. You can read more about it here.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
First thing I do is enumerate all the API endpoints that are being hit, on all pages of the website. I then take a look at the requests themselves, what headers are being sent, the response from the server, etc. I try messing around with these.
Most websites, from what I've seen, always tend to overlook the possibility of CSRF or Cross-Site Request Forgery. You can read more about it here.