# Methodology Recon, enumeration, attack surface discovery...whatever you want to call it is not really a single step or phase. We continue to enumerate throughout every step of testing an application. Even during exploitation, especially when our exploits fail, we continue to enumerate and discover more about our target application. So with that, one could argue that this is the most critical skill to develop. At the start of our engagement, we need to orient ourselves and so that we understand the target enough to uncover the full attack surface (or as much of it as possible). ### Things we want to find out #### Part 1: Apex domains, subdomains, applications and technologies Most modern web applications are a combination of technologies and if you're working on a wide scope BugBounty programme or a pentest for an organisation with many applications then you'll need to start by discovering the apex domains, subdomains as there may by many applications in-scope. **What domains & subdomains are in scope?** * Root / apex domains * Associated business units/brands * Development/staging environments * Legacy systems * Cloud resources (AWS, Azure, GCP instances) * Internal systems accessible externally **What technologies exist** * Web servers and versions * Programming languages/frameworks * CMS platforms * Cloud services * Authentication systems * Third-party integrations * APIs and microservices * Database systems * Content delivery networks * Security controls (WAF, rate limiting) #### Part 2: Application attack surface After we've identified targets, we need to understand the attack surface of individual targets. This isn't a single step, it can be iterative and exploiting a target can lead to the discovery of more endpoints, technologies or applications to attack (e.g. when we discover SSRF and gain access to internal systems). **What endpoints exist** * API endpoints * Admin interfaces * Legacy/deprecated endpoints * Mobile app endpoints * Authentication endpoints * File upload/download functionality * Payment processing endpoints * User profile/management areas * Integration endpoints * Webhook endpoints **What functionality exists** * User roles and permissions * Authentication mechanisms * Session management * Data processing flows * File handling * Input/output points * Business logic flows * Error handling * Integration points * Background processes ### Checklist #### Part 1: Initial Discovery **Domain Reconnaissance** * [ ] Identify root domains * [ ] Subdomain enumeration * [ ] DNS records analysis * [ ] Virtual hosts discovery * [ ] Cloud asset discovery * [ ] Historical DNS data **Technology Stack Identification** * [ ] Server fingerprinting * [ ] Framework detection * [ ] Third-party components * [ ] Cloud services * [ ] Security mechanisms * [ ] SSL/TLS configuration **Infrastructure Mapping** * [ ] IP ranges * [ ] Network topology * [ ] Load balancers * [ ] CDN usage * [ ] Cloud resources * [ ] Internal systems exposure #### Part 2: Application Analysis **Endpoint Discovery** * [ ] Directory enumeration * [ ] Parameter discovery * [ ] API endpoint mapping * [ ] Hidden endpoints in JS * [ ] Backup files * [ ] Development endpoints **Functionality Mapping** * [ ] User roles identification * [ ] Authentication flows * [ ] Session handling * [ ] Business logic flows * [ ] File operations * [ ] Data processing **Content Analysis** * [ ] JavaScript files * [ ] Source code leaks * [ ] API documentation * [ ] Error messages * [ ] Comments * [ ] Hidden parameters **Security Control Analysis** * [ ] Authentication methods * [ ] Authorization schemes * [ ] Input validation * [ ] Output encoding * [ ] Security headers * [ ] Rate limiting **Integration Points** * [ ] Third-party services * [ ] Payment gateways * [ ] Social media * [ ] External APIs * [ ] SSO providers * [ ] Webhooks **Documentation** * [ ] Architecture diagrams * [ ] API documentation * [ ] Error messages * [ ] Security policies * [ ] Known vulnerabilities * [ ] Previous findings **Continuous Discovery** * [ ] Monitor for new subdomains * [ ] Track technology changes * [ ] Document new endpoints * [ ] Update attack surface map * [ ] Review scope changes * [ ] Track discovered vulnerabilities Other things we may consider: * [ ] How are sessions handled? * [ ] Is it worth looking more closely at the data flow? ## Content discovery / recon Content discovery is a significant part of web application penetration testing or bug bounty hunting. This process involves identifying and mapping out components, endpoints, directories, functionality, and subdomains of a target web application. Things we want to look at are: * Subdomains * Technology stack * Directories and endpoints * Parameters * Functionality * APIs * JavaScript / fontend analysis * Other open ports / services ### Checklist **Web Server** * [ ] What is the server running? * [ ] Operating system: Linux or Windows? * [ ] Web server: Apache or Nginx? Etc * [ ] Can we identify the version of the Web Server? * [ ] Are there any subdomains? **Common files** * [ ] robots.txt * [ ] sitemap.xml * [ ] .htaccess * [ ] security.txt * [ ] manifest.json * [ ] browserconfig.xml * [ ] etc **Frontend checks** * [ ] Inspect the page source for frontend scripts & information * [ ] Is there any sensitive information in the frontend? * [ ] Are there links and other things in the frontend that aren't used? **Entry Points** * [ ] What endpoints exist * [ ] What HTTP methods are used * [ ] What parameters are used * [ ] Fuzz for hidden endpoints, files, parameters, methods, etc **Map Application Architecture** * [ ] Step through the entire application