Web application discovery is a crucial component of penetration testing that involves finding subdomains, virtual hosts, directories, files, and parameters to expand the attack surface.
Subdomain and Virtual Host Enumeration
Subdomains and virtual hosts can reveal additional entry points into an application's infrastructure. These might host development environments, admin panels, or legacy applications with vulnerabilities.
Subdomain Enumeration
Subdomains can be discovered through various techniques:
DNS brute forcing
Certificate transparency logs
Public datasets
Virtual host brute forcing
Directory and File Discovery
Directory enumeration helps identify hidden paths, backup files, configuration files, and other sensitive endpoints in web applications.
Using Gobuster for Directory Discovery
Gobuster is an effective tool for directory brute forcing:
Using Gobuster for Virtual Host Discovery
Advanced Web Fuzzing with FFUF
FFUF (Fuzz Faster U Fool) offers more flexibility for web fuzzing tasks including parameter fuzzing, value fuzzing, and header fuzzing.
Directory and Extension Fuzzing
Targeted File Discovery
Recursive Fuzzing
Subdomain Fuzzing
Parameter Discovery and Fuzzing
Host Header Fuzzing
Content Type and JSON Fuzzing
Multi-Parameter Fuzzing
Methodology for Comprehensive Discovery
For a thorough web application discovery process, follow this methodology:
Initial Enumeration
Identify technologies and frameworks using Wappalyzer or similar tools
Capture basic site architecture and features
Map visible endpoints and functionality
Subdomain Discovery
Use tools like Subfinder, Amass, or Sublist3r for passive discovery
Use Gobuster or FFUF for active brute forcing
Check SSL certificates for additional domain information
Directory and File Enumeration
Use wordlists specific to the identified technologies
Adjust extensions based on detected frameworks (.php, .aspx, .jsp, etc.)
Look for common sensitive files (.git, .env, backup files, etc.)
Parameter Discovery
Monitor requests in a proxy like Burp Suite to identify parameters
Use FFUF to discover hidden parameters
Test for parameter pollution and manipulation
Analyze Results and Refine
Prioritize findings based on potential impact
Customize wordlists based on discovered patterns
Perform focused testing on promising endpoints
Discovery Wordlist Selection
Choosing the right wordlist for discovery is critical:
Technology-specific wordlists: Match your wordlist to the technology stack
Size vs. speed: Larger wordlists are more thorough but slower
Custom wordlists: Create targeted lists based on the application's context
Recommended sources: SecLists, jhaddix's all.txt, and custom application-specific lists
By systematically applying these techniques, you can effectively map a web application's attack surface and identify potential entry points for further testing.