Skip to main content

Web Application Reconnaissance

Web application reconnaissance is one of the most crucial stages of a penetration test or bug bounty engagement. A thorough recon process helps uncover technologies, exposed functionality, and likely attack vectors.

info

Perform these steps only on targets you are authorized to test.

Basic Enumeration

Basic enumeration means collecting as much useful information as possible using passive and low-noise active techniques.

Tools & Techniques

  • DNS Lookup: Use dig or nslookup for records, nameservers, and subdomain clues.
  • WHOIS Lookup: Gather registration/ownership metadata.
  • HTTP Headers: Inspect with curl/httpx for stack and defenses (Server, X-Powered-By, etc.).
  • Google Dorking: Find exposed backups, test files, config files, and indexed secrets.

Identify Stack/Language Used

Knowing the stack helps map framework-specific vulnerabilities.

Techniques

  • HTTP Headers: Look for X-Powered-By.
  • Common Files: e.g. wp-login.php, index.php, framework-specific paths.
  • JavaScript Artifacts: Detect React/Angular/Vue and build tooling.
  • Error Messages: Stack traces often leak frameworks/components.
  • Port Scanning: Backend services can indicate stack choices.
  • 404 Fingerprinting: Use 0xdf 404 Cheatsheet.

Identify Server Running the Application

Server type influences exploit strategy and hardening expectations.

Techniques

  • HTTP Headers: Server often reveals Apache/Nginx/IIS/Caddy.
  • Banner Grabbing: netcat/telnet when applicable.
  • Nmap Service Detection:
nmap -sV <target>
nmap --script=http-server-header <target>

JS Libraries Used? Are Any Vulnerable?

Frontend libraries can introduce known CVEs.

Techniques

  • Inspect loaded JS/CSS files in source + DevTools.
  • Use tools like Retire.js.
  • Correlate versions with CVE sources (CVE Details, Exploit-DB, NVD).

Is the Application Using Any Kind of WAF?

WAF presence affects payload strategy and noise tolerance.

Techniques

  • Look for WAF-specific headers or behavior patterns.
  • Fingerprint with tools like wafw00f.
  • Probe for filtering/rate limiting around common payload families.

Authentication?

Authentication flows often expose weak credential handling or logic flaws.

Techniques

  • Discover login/admin portals (/login, /admin, etc.).
  • Check weak/default credential controls.
  • Evaluate MFA/2FA behavior and bypass edge cases.

Objects? (Real-World Entities)

Identify business objects (users, orders, invoices, tickets, projects).

Techniques

  • Enumerate REST/GraphQL endpoints.
  • Inspect JSON schemas and identifiers.
  • Test IDOR/BOLA with parameter tampering (/user/1, /order/45).

Session Establishment

Session handling flaws can lead to hijacking/fixation/account takeover.

Techniques

  • Review cookie flags: Secure, HttpOnly, SameSite.
  • Check token entropy/predictability.
  • Verify tokens are not exposed in URL/referrers/logs.

Handling Special Characters

Input handling determines exposure to injection classes.

Techniques

  • Test characters like ';, ", &, <, > across inputs.
  • Observe error leakage and sanitizer behavior.
  • Use intercepting proxy workflows for coverage.

CSRF Validation

Assess whether state-changing actions are protected against cross-site request forgery.

Techniques

  • Verify anti-CSRF tokens on sensitive requests.
  • Check token binding/rotation and origin checks.
  • Attempt controlled forged requests.

CRUD Operations

Map create/read/update/delete routes and method restrictions.

Techniques

  • Identify CRUD endpoints and hidden variants.
  • Validate HTTP method enforcement (no unsafe GET state changes).
  • Test authorization per action, not just per page.

Functionalities Identification

Hidden or privileged features are high-value targets.

Techniques

  • Hunt admin/debug/backup paths.
  • Review all navigable states and workflow branches.
  • Diff functionality between authenticated contexts.

Multiple User Roles?

Role models often fail at object-level authorization.

Techniques

  • Compare capabilities across roles/accounts.
  • Attempt privilege escalation via role/user parameter tampering.
  • Validate server-side checks for every action.

Is API Used?

APIs frequently expose additional attack surface not visible in UI.

Techniques

  • Enumerate API routes and versions.
  • Test auth, rate limits, schema validation, and object-level access.
  • Check for sensitive debug fields in responses.

Is CORS Implemented?

Misconfigured CORS can enable cross-origin data theft.

Techniques

  • Inspect Access-Control-Allow-Origin and credential settings.
  • Test wildcard/reflective origin behavior.
  • Validate preflight logic consistency.

Is WebSocket Used?

WebSockets add persistent channels with unique auth/message risks.

Techniques

  • Locate ws:// / wss:// endpoints.
  • Inspect handshake auth and token scope.
  • Test unauthorized subscriptions and message tampering.

Is CAPTCHA Used?

CAPTCHA controls can be bypassed if weakly implemented.

Techniques

  • Identify where CAPTCHA is enforced.
  • Check replay resistance and server-side verification.
  • Test whether alternate endpoints bypass CAPTCHA.

What Other Headers is the Application Accepting?

Request/response headers can reveal controls and hidden logic.

Techniques

  • Review security headers (HSTS, X-Frame-Options, X-Content-Type-Options, CSP).
  • Probe custom headers consumed by backend logic.
  • Test proxy-related headers for trust boundary issues (X-Forwarded-*).
tip

Keep recon output organized (hosts, endpoints, roles, auth flows, headers, findings) to speed up exploitation and reporting.