Check for exposed admin panels, debug endpoints - Test for misconfigured CORS policies - Check for open redirects - Test for subdomain takeover on abandoned subdomains - Check cloud storage permissions (S3, Azure Blob, GCS) - Test for exposed .git, .svn, .env files