Also, business logic inconsistencies and access control misconfigurations (or failures) are something I prioritize, as these are the kind of things an automated scanner or tool is not really able to find.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
OWASP has a great web app testing methodology guide to walk you through a bunch of checks: owasp.org/index.php/Web_Applicatio...
These are kind of the minimum, a tester would want to expand based on what behavior exists in the application, but that guide is a great baseline.
Also, business logic inconsistencies and access control misconfigurations (or failures) are something I prioritize, as these are the kind of things an automated scanner or tool is not really able to find.