We teach the following technical and business logic issues related to web applications and after all topics we push the students to solve our CTFs.

Information Gathering via Whois Query
Try to find out all websites hosted on same IP address.
Try to find out all websites via reverse dns queries
Try to find out all subdomians of the all target domains
Perform a full TCP/UDP port scan for all website’s IP address.
Try to identificate new web interfaces on the different TCP ports.
Look at the Google search engine to find out subdomins. Google dorks.
Information gathering(subdomains,leaked credentials) via Pastebin/Github 
Try to find out new subdomain via DNS Dumpster
Perform a bruteforce to DNS server with a good wordlist to identificate new subdomains.
Analyse error message, banner information etc for information gathering.
Look at the Archive.org records
Try to perform subdirectory tests
Identificate Directory Listing Vulnerabilities by visiting subdirectory
Identificate Directory Listing via Google Dork
Try to gather information via robots.txt, elmah.axd, trace.axde
Elmah.axd and Trace.axd Session Stealing Tests
Try to identificate target operation systems, databases etc
Try to find out new files under discovered new subdirectories with different extensions
Try to identificate used CMS application on the target system
Scan this CMS application with special tools.
Try to identificate installed plugins of these CMS and known vulnerabilities on this plugins
Search all known vulnerabilities related to CMS version
Try to identificate admin pages identification of the target websites.
Try to check if there is any backdoor on the target systems with known web backdoors
Data transmission security chekcs(HTTP usage, without HSTS header,unsecure SSL/TLS etc)
Discover dangerous HTTP method usage such as PUT and DELETE
Username enumeration tests via error or warning messages
Username enumeration via mis-developments
Brute force testing for web form fields.
Try to bypass WAF systems
Manuel crawling of the target applications
Find out all input fields throughout the target applications
Hidden form fields tests
Source code review of HTML and javascript files
Identifiying and abusing of unused captcha forms
CSRF vulnerability check on the sensitive functions of the targets
Anti-CSRF token bypass techniques
Session manipulation tests
Cookie attributes tests
 Session id weaknesses tests
Vulnerabilities on the login functions
Login function(authentication) bypass techniques
Known and published vulnerabilites on the targets
Two-factor authentication bypass techniques
Session fixation tests
Directory traversal vulnerabilities
Authorization issues
Try to access other user asssets unauthorized(files,private assets)
IDOR tests
Try to find out weaknesses on the logout function of targets
Privilage escalation tests with different role users
Focus on just business logic issues of the target’s functions
HTTP Header tests
User agent manipulation test
X-Forwarded-For Restriction bypass tests.
XSS Tests(reflected,stored,dom,blind)
Sql Injection Tests
Code injection tests
Command Execution tests
SSRF Tests(local,remote)
LFI/RFI tests
Try to focus on web servis tests(ASMX,restful,WCF)
Business and technical tests on the web services
Spesific tests for related to used technologies(nodejs,ajax,frameworks etc)
Try to use right attack vectos depands on used database/development platforms
Password reset functionality abuse testing
Takeover account via spesific functionality of the targets(password change,reset etc)
Image Captcha’s size manipulation DoS tests
Application Level DoS tests(abusing functions,BoF etc)
Session timeout tests
Secure,httponly,HSTS header usage tests
Advenced authentication and authorization tests.
Open Redirection Tests
File upload tests(command execution,stored xss,DoS)
LDAP Incjection tests
XML injection tests
Xml External Entity(XXE) tests
Buffer over flow tests
Login bypass,DoS via Long payload usage
HTTP Response Splitting tests(XSS PoC)
HTTP Parameter Pollution Tests(Bypass WAF PoC)
Iframe Injection tests
LFI via Iframe injections
XSS tests via drag-drop
XSS tests via filen names of uploaded files
Try to discover technical web vulnerabilities via Google dorks
Signup Function Tests(takeover account,XSS,SQL or many business logic bugs)
Code execution via uploadable excel files
Try to discover advenced injection points via FUZZing(wfuzz)
Try to enforce the targets to get sensitive informations via error messages
Vulnerabilities on the webserver versions
Try to determine remotely the encrytion sitiuations of the passwords on the target database.
SWF,JAR files decompiling tests If we have on the targets
Code execution via SMTP/IMAP
Spesific wordlist creation (crunch,cewl)
Phpmyadmin Vulnerabilities(Directory listing,bruteforce,XSS etc)
Code execution via Phpmyadmin with mysql into outfile function
URL Poisioning Tests
Try to use bypassing methos for all technical vulnerabilities
DoS via Code Injection
Default or predictable password usage tests
Post-exploitation via accessed systems(tomcat,wordpress etc)
Clickjacking Vulnerability Tests on the important function of the targets
Full Automate scan all websites