Worked on #haTvm this week.
Found Stored XSS. This is found by following a multi-part process from start to end, then manually testing each section. (something I learnt to do meticulously from Week 12)
Also found reflected XSS. This is by testing every single form input with injection queries. It may seem ineffective at first, but I learnt this the hard way when I sample tested at random in the previous weeks. It's weird that developers will sanitize some but not all inputs/outputs.
(Can consider some form of automated input in the future, or tweak Burp to work the way I want.)
Also found unauthorized access to certain admin functions as well as CSRF. This was a tedious application to test as there are hundreds of fields and forms everywhere.