To manually spider a site requires you to click on every link.
The intensive work in this effort comes because Ajax-enabled sites often execute requests behind the scenes; you will need an interception proxy like Burp Suite or Web Scarab to view and track requests in Ajax applications.
Once the automated spider is complete, it’s a simple task to filter out all requests which resulted in a 300 HTTP response—you now know where to focus your manual testing efforts.
One of the greatest is ensuring the security of the Web application you test.Note that a vulnerability’s severity will be related to the access permissions applied to the redirect.If a redirect can only be performed when a user is logged in, it is still a security vulnerability.Manually reviewing source code generally requires a working knowledge of the language in which the application has been programmed.Most development environments include a search function, which reduces the scope of effort somewhat.
Very often, redirects and forwards are programmatically built based on user input; for instance, a request for the “myapp” portion of a site may be redirected when a mobile browser is detected.