Web Application Reconnaissance Guide, Cybersec | Shubham Dhungana
In this article, I’m going to document about the process to perform web application reconnaissance. Before reading this article, we must keep in mind that this is not the absolute all in one guide for web application reconnaissance. Yet, there are many ways for web application reconnaissance in cyber security. This is just 1 % out of many guide.
Let’s understand this by doing live example
Suppose, we are doing recon on google domain.
Step 1: Subdomain Enumeration
Let’s collect the subdomain of google using open source tools like
i) subfinder (https://github.com/projectdiscovery/subfinder)
cmd: (see the documentation from above subfinder link to download and use it.)
> subfinder -d google.com > subf.txt (It stores result in subf.txt file)
ii) assetfinder (https://github.com/projectdiscovery/subfinder)
cmd: (see the documentation from above assetfinder link to download it.)
> assetfinder -subs-only google.com > ast.txt (It stores result in ast.txt file)
> cat ast.txt subf.txt > subdomains.txt (It stores final total result in subdomains.txt)
Step 2: Filtering Subdomains
We use httpx tool (https://github.com/projectdiscovery/httpx) for filtering live subdomains because the subdomains in the collected result file subdomains.txt may be dead. So we need to check the live subdomains.
> cat subdomains.txt | httpx > liveSubdomains.txt
(It takes the subdomains and filter it via httpx tool and give use live subdomains in liveSubdomains.txt file to do further recon)
Step 3: Gathering Urls
Tools used here:
i) gau (https://github.com/lc/gau)
ii) waybackurls (https://github.com/tomnomnom/waybackurls)
— — — — — — — — — — — — — — — — -
Use this cmd in order:
> cat liveSubdomains.txt | gau | tee gau.txt
> cat liveSubdomains.txt | waybackurls | tee wayback.txt
> cat gau.txt wayback.txt > urls.txt
> cat urls.txt | fff | tee > liveurls.txt
— — — — — — — — — — — — — — — — -
Step 4: Hunting For bugs
gf tool is being used for finding potential vulnerable urls here (https://github.com/tomnomnom/gf)
— — — — — — — — — — — — — -
> cat liveurls.txt | gf ssrf (for testing ssrf)
> cat liveurls.txt | gf rce (for testing ssrf)
> cat liveurls.txt | gf xss (for testing ssrf)
> cat liveurls.txt | gf sqli (for testing ssrf)
Payload link:https://github.com/danielmiessler/SecLists
— — — — — — — — — — — — — — — — —
Yet there are many methods left like manual analysis, performing recon using the main tool i.e. burpsuite, etc.
Summary: All Commands Used
— — — — — — — — — — — — — — — — — — — -
> subfinder -d target.com > subf.txt
> assetfinder -subs-only target.com > ast.txt
> cat subf.txt ast.txt | sort -u | tee subdomains.txt
> cat subdomains.txt | httpx | tee liveSubdomains.txt
> cat liveSubdomains.txt | gau | tee gau.txt
> cat liveSubdomains.txt | waybackurls | tee wayback.txt
> cat gau.txt wayback.txt | sort -u | tee urls.txt
> cat urls.txt | fff | tee liveUrls.txt
> cat liveUrls.txt | gf ssrf | tee ssrf.txt
> cat liveUrls.txt | gf sqli | tee sqli.txt
> cat liveUrls.txt | gf xss | tee xss.txt
> cat liveUrls.txt | gf redirect | tee redirect.txt
— — — — — — — — — — — — — — — — — — —
This is not even 1 percent of recon and analysis of the security of web app system. I may write more in deeper perspective later on.
Thank You,
Shubham Dhungana
Cyber Security Researcher.
