Methodology

Recon, enumeration, attack surface discovery...whatever you want to call it is not really a single step or phase. We continue to enumerate throughout every step of testing an application. Even during exploitation, especially when our exploits fail, we continue to enumerate and discover more about our target application. So with that, one could argue that this is the most critical skill to develop.

At the start of our engagement, we need to orient ourselves and so that we understand the target enough to uncover the full attack surface (or as much of it as possible).

Things we want to find out

Part 1: Apex domains, subdomains, applications and technologies

Most modern web applications are a combination of technologies and if you're working on a wide scope BugBounty programme or a pentest for an organisation with many applications then you'll need to start by discovering the apex domains, subdomains as there may by many applications in-scope.

What domains & subdomains are in scope?

• Root / apex domains

• Associated business units/brands

• Development/staging environments

• Legacy systems

• Cloud resources (AWS, Azure, GCP instances)

• Internal systems accessible externally

What technologies exist

• Web servers and versions

• Programming languages/frameworks

• CMS platforms

• Cloud services

• Authentication systems

• Third-party integrations

• APIs and microservices

• Database systems

• Content delivery networks

• Security controls (WAF, rate limiting)

Part 2: Application attack surface

After we've identified targets, we need to understand the attack surface of individual targets. This isn't a single step, it can be iterative and exploiting a target can lead to the discovery of more endpoints, technologies or applications to attack (e.g. when we discover SSRF and gain access to internal systems).

What endpoints exist

• API endpoints

• Admin interfaces

• Legacy/deprecated endpoints

• Mobile app endpoints

• Authentication endpoints

• File upload/download functionality

• Payment processing endpoints

• User profile/management areas

• Integration endpoints

• Webhook endpoints

What functionality exists

• User roles and permissions

• Authentication mechanisms

• Session management

• Data processing flows

• File handling

• Input/output points

• Business logic flows

• Error handling

• Integration points

• Background processes

Checklist

Part 1: Initial Discovery

Domain Reconnaissance

• Identify root domains

• Subdomain enumeration

• DNS records analysis

• Virtual hosts discovery

• Cloud asset discovery

• Historical DNS data

Technology Stack Identification

• Server fingerprinting

• Framework detection

• Third-party components

• Cloud services

• Security mechanisms

• SSL/TLS configuration

Infrastructure Mapping

• IP ranges

• Network topology

• Load balancers

• CDN usage

• Cloud resources

• Internal systems exposure

Part 2: Application Analysis

Endpoint Discovery

• Directory enumeration

• Parameter discovery

• API endpoint mapping

• Hidden endpoints in JS

• Backup files

• Development endpoints

Functionality Mapping

• User roles identification

• Authentication flows

• Session handling

• Business logic flows

• File operations

• Data processing

Content Analysis

• JavaScript files

• Source code leaks

• API documentation

• Error messages

• Comments

• Hidden parameters

Security Control Analysis

• Authentication methods

• Authorization schemes

• Input validation

• Output encoding

• Security headers

• Rate limiting

Integration Points

• Third-party services

• Payment gateways

• Social media

• External APIs

• SSO providers

• Webhooks

Documentation

• Architecture diagrams

• API documentation

• Error messages

• Security policies

• Known vulnerabilities

• Previous findings

Continuous Discovery

• Monitor for new subdomains

• Track technology changes

• Document new endpoints

• Update attack surface map

• Review scope changes

• Track discovered vulnerabilities

Other things we may consider:

• How are sessions handled?

• Is it worth looking more closely at the data flow?

Content discovery / recon

Content discovery is a significant part of web application penetration testing or bug bounty hunting. This process involves identifying and mapping out components, endpoints, directories, functionality, and subdomains of a target web application.

Things we want to look at are:

• Subdomains

• Technology stack

• Directories and endpoints

• Parameters

• Functionality

• APIs

• JavaScript / fontend analysis

• Other open ports / services

Checklist

Web Server

• What is the server running?

  • Operating system: Linux or Windows?

  • Web server: Apache or Nginx? Etc

• Can we identify the version of the Web Server?

• Are there any subdomains?

Common files

• robots.txt

• sitemap.xml

• .htaccess

• security.txt

• manifest.json

• browserconfig.xml

• etc

Frontend checks

• Inspect the page source for frontend scripts & information

• Is there any sensitive information in the frontend?

• Are there links and other things in the frontend that aren't used?

Entry Points

• What endpoints exist

• What HTTP methods are used

• What parameters are used

• Fuzz for hidden endpoints, files, parameters, methods, etc

Map Application Architecture

• Step through the entire application