16. Which vulnerabilities do you typically use for initial compromise (“scoring a hit”)?
Priority
Java deserialisation vulnerabilities such as Shiro, Fastjson, WebLogic, and Yonyou OA, because Java web applications often run with high privileges by default. Afterwards, other fragile, easily exploitable points are sought.