This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Information Gathering & Reconnaissance

Web Apps Fingerprinting

Purpose

Fingerprinting finds what technologies and configurations a web app is using. This guides testing and helps focus on known weaknesses.

HTTP Response Fingerprinting

Identify servers, frameworks, and technologies via headers.

nmap --script http-headers <target>
whatweb -v <target_url>
echo <domain> | httpx -title -server -tech-detect -status-code
nuclei -u <target_url> -t technologies/

Common headers: Server, X-Powered-By, X-AspNet-Version, X-Generator.

Error-Message & Database Fingerprinting

Detect databases and errors to identify backends and injection points.

sqlmap -u "https://<target>/page.php?id=1" --batch --fingerprint
nuclei -u <target_url> -t vulnerabilities/sql/
nuclei -u <target_url> -t exposures/logs/sql-errors.yaml

Error message pattern:

  • MySQL → You have an error in your SQL syntax

  • PostgreSQL → ERROR: syntax error

  • MSSQL → Microsoft OLE DB Provider

  • Oracle → ORA-00942

Technology Stack Identification

Discover all technologies in use: frontend, backend, CMS, and libraries.

# Wappalyzer CLI
wappalyzer <target_url>

# Nuclei for detailed detection
nuclei -u <target_url> -t technologies/ -o tech_results.txt

Directory & File Enumeration

Find hidden paths, admin panels, configs, and backups.

gobuster dir -u https://<target> -w <wordlist> -x php,asp,html
ffuf -w <wordlist> -u https://<target>/FUZZ -e .php,.html
feroxbuster -u https://<target> -w <wordlist> -x php,html -t 200

Targets often include /admin, /backup, .env, or exposed .git.

Backup / Configuration Exposure

Look for misconfigured or exposed sensitive files.

curl -s https://<target>/.env
curl -s https://<target>/config.php
nuclei -u <target_url> -t exposures/configs/

Exposed repos: .git/HEAD, .svn/entries.

Source-Code / Client-Side Analysis

Check for secrets, endpoints, and source maps in JS or HTML.

curl -s <url> | grep -oE 'src="[^"]*\.js"' | cut -d'"' -f2
curl -s <url>/app.js | grep -E "(api|key|token|password|secret)"
curl -s <url>/app.js | grep "sourceMappingURL"

Links and API endpoints can also be extracted from HTML.

Subdomain Enumeration

Expand scope by finding related subdomains.

# Passive
subfinder -d <domain> -o subdomains.txt

# Active brute force
gobuster dns -d <domain> -w <subdomains-list> -t 50

Content & API Discovery

Locate hidden content, endpoints, and API docs.

echo <target> | hakrawler
gospider -s <target> -c 10 -d 3

# API endpoints and docs
curl -s https://<target>/swagger-ui/
curl -s https://<target>/openapi.json
nuclei -u <target_url> -t exposures/apis/graphql.yaml

Third-Party Services (CDN, Auth, Payment)

Check integrations like CDNs, OAuth providers, and payment gateways.

dig <domain>
curl -I <domain> | grep -i "server\|via\|x-cache"
curl -s <target> | grep -i "auth0\|okta\|azure\|oauth"
curl -s <target> | grep -i "stripe\|paypal\|shopify"
PreviousWeb Application MethodologyNextInput Validation Testing

Last updated

Was this helpful?