Based On API

For example, if the target program uses SpringMVC, we can use annotation to find the entrace functions. I.E. Globally search “@(.*?)Mapping(” so that it can match @RequestMapping, @GetMapping

Based on Dangerous Functions

According to the dangerous functions, then reverse the process to find source. (Function entrance)

For example, if we want to find deserialization vulnerability in the Java, we can find following functions:

ObjectInputStream.readObject
ObjectInputStream.readUnshared 
XMLDecoder.readObject 
Yaml.load 
XStream.fromXML 
ObjectMapper.readValue 
JSON.parseObject

Based on Functionality

First locate the vulnerable functionality according to the experience, then use blackbox/whitebox to find related issues.

Based on Third Party

Look at pom.xml and configuration files to see if all third party components are up to date.

Based on Tools

Uses both fuzzing and static analysis tool to have an initial scan. Then manually check with each alert.