AppSecExplained
  • Index < START HERE
    • My courses
    • How to get started from zero
  • 📽️Live Stream Content
    • Resource of the week
  • Discovery / Recon
    • Methodology
    • Content discovery / recon
      • Subdomains
      • Endpoints
      • Parameters
      • Spidering
  • Common vulns
    • SQL injection overview
      • Detection
      • Blind SQLi
      • Second-order SQLi
      • SQLi lab setup & writeups
    • NoSQL injection
    • JavaScript injection (XSS)
      • XSS Methodology
    • File Inclusion
      • Local file inclusion
        • Directory traversal
    • Command injection
    • XXE (XML external entity) injection
      • Blind XXE
    • Template injection
      • Server-side template injection
      • Client-side template injection
    • Authentication
      • Attacking password-based authentication
      • Attacking MFA
      • Authentication lab setup & writeups
    • Cross-Site Request Forgery (CSRF)
    • Insecure deserialization
      • PHP
      • Java
      • Python
      • .NET
    • Server-side request forgery (SSRF)
    • Insecure file upload
    • Clickjacking
    • Open redirect
    • Vulnerable components
    • Race conditions
      • Limit overrun
    • Prototype pollution
      • Client-side prototype pollution
    • APIs
      • API: BOLA
      • API: Broken authentication
      • BOPLA
      • API: BFLA
  • Bypassing controls
    • Rate limiting
    • WAF Bypasses
  • Scripts
    • Docker-compose.yml files
      • Wordpress
      • SQLi testing labs
    • PHP scripts
      • RCE Function Check
    • Wordlists
      • Single characters
      • SQLi
  • Code review
    • Getting started
    • Sinks
  • Links worth your time
    • Practical API Hacking
    • Rana Khalil's Web Security Academy Course
    • Portswigger's Web Security Academy
    • TCM Security Discord
    • PentesterLand Writeups
Powered by GitBook
On this page
  • Things we want to find out
  • Part 1: Apex domains, subdomains, applications and technologies
  • Part 2: Application attack surface
  • Checklist
  • Part 1: Initial Discovery
  • Part 2: Application Analysis

Was this helpful?

  1. Discovery / Recon

Methodology

Recon, enumeration, attack surface discovery...whatever you want to call it is not really a single step or phase. We continue to enumerate throughout every step of testing an application. Even during exploitation, especially when our exploits fail, we continue to enumerate and discover more about our target application. So with that, one could argue that this is the most critical skill to develop.

At the start of our engagement, we need to orient ourselves and so that we understand the target enough to uncover the full attack surface (or as much of it as possible).

Things we want to find out

Part 1: Apex domains, subdomains, applications and technologies

Most modern web applications are a combination of technologies and if you're working on a wide scope BugBounty programme or a pentest for an organisation with many applications then you'll need to start by discovering the apex domains, subdomains as there may by many applications in-scope.

What domains & subdomains are in scope?

  • Root / apex domains

  • Associated business units/brands

  • Development/staging environments

  • Legacy systems

  • Cloud resources (AWS, Azure, GCP instances)

  • Internal systems accessible externally

What technologies exist

  • Web servers and versions

  • Programming languages/frameworks

  • CMS platforms

  • Cloud services

  • Authentication systems

  • Third-party integrations

  • APIs and microservices

  • Database systems

  • Content delivery networks

  • Security controls (WAF, rate limiting)

Part 2: Application attack surface

After we've identified targets, we need to understand the attack surface of individual targets. This isn't a single step, it can be iterative and exploiting a target can lead to the discovery of more endpoints, technologies or applications to attack (e.g. when we discover SSRF and gain access to internal systems).

What endpoints exist

  • API endpoints

  • Admin interfaces

  • Legacy/deprecated endpoints

  • Mobile app endpoints

  • Authentication endpoints

  • File upload/download functionality

  • Payment processing endpoints

  • User profile/management areas

  • Integration endpoints

  • Webhook endpoints

What functionality exists

  • User roles and permissions

  • Authentication mechanisms

  • Session management

  • Data processing flows

  • File handling

  • Input/output points

  • Business logic flows

  • Error handling

  • Integration points

  • Background processes

Checklist

Part 1: Initial Discovery

Domain Reconnaissance

Technology Stack Identification

Infrastructure Mapping

Part 2: Application Analysis

Endpoint Discovery

Functionality Mapping

Content Analysis

Security Control Analysis

Integration Points

Documentation

Continuous Discovery

Other things we may consider:

PreviousResource of the weekNextContent discovery / recon

Last updated 3 months ago

Was this helpful?