Methodology

Recon, enumeration, attack surface discovery...whatever you want to call it is not really a single step or phase. We continue to enumerate throughout every step of testing an application. Even during exploitation, especially when our exploits fail, we continue to enumerate and discover more about our target application. So with that, one could argue that this is the most critical skill to develop.

At the start of our engagement, we need to orient ourselves and so that we understand the target enough to uncover the full attack surface (or as much of it as possible).

Things we want to find out

Part 1: Apex domains, subdomains, applications and technologies

Most modern web applications are a combination of technologies and if you're working on a wide scope BugBounty programme or a pentest for an organisation with many applications then you'll need to start by discovering the apex domains, subdomains as there may by many applications in-scope.

What domains & subdomains are in scope?

  • Root / apex domains

  • Associated business units/brands

  • Development/staging environments

  • Legacy systems

  • Cloud resources (AWS, Azure, GCP instances)

  • Internal systems accessible externally

What technologies exist

  • Web servers and versions

  • Programming languages/frameworks

  • CMS platforms

  • Cloud services

  • Authentication systems

  • Third-party integrations

  • APIs and microservices

  • Database systems

  • Content delivery networks

  • Security controls (WAF, rate limiting)

Part 2: Application attack surface

After we've identified targets, we need to understand the attack surface of individual targets. This isn't a single step, it can be iterative and exploiting a target can lead to the discovery of more endpoints, technologies or applications to attack (e.g. when we discover SSRF and gain access to internal systems).

What endpoints exist

  • API endpoints

  • Admin interfaces

  • Legacy/deprecated endpoints

  • Mobile app endpoints

  • Authentication endpoints

  • File upload/download functionality

  • Payment processing endpoints

  • User profile/management areas

  • Integration endpoints

  • Webhook endpoints

What functionality exists

  • User roles and permissions

  • Authentication mechanisms

  • Session management

  • Data processing flows

  • File handling

  • Input/output points

  • Business logic flows

  • Error handling

  • Integration points

  • Background processes

Checklist

Part 1: Initial Discovery

Domain Reconnaissance

Technology Stack Identification

Infrastructure Mapping

Part 2: Application Analysis

Endpoint Discovery

Functionality Mapping

Content Analysis

Security Control Analysis

Integration Points

Documentation

Continuous Discovery

Other things we may consider:

PreviousResource of the weekNextContent discovery / recon

Last updated