# Content discovery / recon

Content discovery is a significant part of web application penetration testing or bug bounty hunting. This process involves identifying and mapping out components, endpoints, directories, functionality, and subdomains of a target web application.

Things we want to look at are:

* Subdomains
* Technology stack
* Directories and endpoints
* Parameters
* Functionality
* APIs
* JavaScript / fontend analysis
* Other open ports / services

## Checklist

**Web Server**

* [ ] &#x20;What is the server running?&#x20;
  * [ ] Operating system: Linux or Windows?&#x20;
  * [ ] Web server: Apache or Nginx? Etc
* [ ] &#x20;Can we identify the version of the Web Server?
* [ ] Are there any subdomains?

**Common files**

* [ ] robots.txt
* [ ] &#x20;sitemap.xml
* [ ] .htaccess
* [ ] &#x20;security.txt
* [ ] manifest.json
* [ ] browserconfig.xml
* [ ] etc

**Frontend checks**

* [ ] &#x20;Inspect the page source for frontend scripts & information
* [ ] &#x20;Is there any sensitive information in the frontend?
* [ ] Are there links and other things in the frontend that aren't used?

**Entry Points**

* [ ] What endpoints exist
* [ ] What HTTP methods are used
* [ ] What parameters are used
* [ ] Fuzz for hidden endpoints, files, parameters, methods, etc

**Map Application Architecture**

* [ ] &#x20;Step through the entire application