Thank you, Enguerran~
It’s very helpful advice. I’m very beginner in this area. as you said, I think I’m gonna start with old website 🙂

Thank you again. Have a nice day~:)

The process is almost always the same:
– First, explore the app from the outside. List the entry points (url is not the only way in, think postMessage for iframe for example), read the doc, google it, read any blog or stackoverflow topic about it, understand the app features and the business purpose it solves
– Then debug! Browsers make it very easy to debug web apps. Use all the console tabs to see how the app is working. Modify some variables and see how the app reacts, use external tools like Burp Suite or browser extensions to modify and debug the app more in-depth.
– Read the source code. If it’s open source, grab the source. If it’s compiled, decompile the binaries. If it’s minified or obfuscated like javascript, modify the code to make it more readable. Try to understand the security features in the code and see how you can bypass them. Think about what the developers could have missed or misunderstood.

If you’re a beginner in this, don’t go after Google or Facebook right away. Start with easier targets. Large, old websites are good targets, like Yahoo and Paypal 😉

I’m wondering … how to find Youtube Flash api flow ?
I think you did reverse engineering. but what do I have to do to know all about the api flow like you ? 😛

Thank you for your questions. I didn’t publish many write-ups yet. There is a public bug report for Vimeo at https://hackerone.com/reports/136481 and I will disclose some of my findings on Facebook soon.
Regarding Flash pentesting, here are the main resources I use :
– Decompilation tools : Sothink SWF Decompiler, JPEXS Free Flash Decompiler, AS3 Sorcerer
– Flash security docs : Official Doc, Security Domains, OWASP Cross Site Flashing
– Write-ups: Finding XSS vulnerabilities in flash files, XSS and CSRF via SWF, WordPress Flash XSS
Happy hunting!