Web Reconnaissance

Web Apps Fingerprinting

Purpose

Fingerprinting finds what technologies and configurations a web app is using. This guides testing and helps focus on known weaknesses.

HTTP Response Fingerprinting

Identify servers, frameworks, and technologies via headers.

nmap --script http-headers <target>
whatweb -v <target_url>
echo <domain> | httpx -title -server -tech-detect -status-code
nuclei -u <target_url> -t technologies/

Common headers: Server, X-Powered-By, X-AspNet-Version, X-Generator.

Error-Message & Database Fingerprinting

Detect databases and errors to identify backends and injection points.

sqlmap -u "https://<target>/page.php?id=1" --batch --fingerprint
nuclei -u <target_url> -t vulnerabilities/sql/
nuclei -u <target_url> -t exposures/logs/sql-errors.yaml

Error message pattern:

MySQL → You have an error in your SQL syntax
PostgreSQL → ERROR: syntax error
MSSQL → Microsoft OLE DB Provider
Oracle → ORA-00942

Technology Stack Identification

Discover all technologies in use: frontend, backend, CMS, and libraries.

# Wappalyzer CLI
wappalyzer <target_url>

# Nuclei for detailed detection
nuclei -u <target_url> -t technologies/ -o tech_results.txt

Directory & File Enumeration

Find hidden paths, admin panels, configs, and backups.

gobuster dir -u https://<target> -w <wordlist> -x php,asp,html
ffuf -w <wordlist>:FUZZ -u https://<target>/FUZZ -e .php,.html
feroxbuster -u https://<target> -w <wordlist> -x php,html -t 200

Source-Code / Client-Side Analysis

Check for secrets, endpoints, and source maps in JS or HTML.

curl -s <url> | grep -oE 'src="[^"]*\.js"' | cut -d'"' -f2
curl -s <url>/app.js | grep -E "(api|key|token|password|secret)"
curl -s <url>/app.js | grep "sourceMappingURL"

Links and API endpoints can also be extracted from HTML.

Subdomain Enumeration

Expand scope by finding related subdomains.

# Passive
subfinder -d <domain> -o subdomains.txt
assetfinder <domain> | sort -u > subdomains.txt
amass enum -d <domain>

# Alive websites
cat subdomains.txt | httprobe > alive-subdomains.txt

# Want screenshots?
gowitness file -f alive-subdomains.txt -P <OutputDir> --no-http # Optional of only HTTPS

# Active brute force
gobuster dns -d <domain> -w <subdomains-list> -t 50

Content & API Discovery

Locate hidden content, endpoints, and API docs.

echo <target> | hakrawler
gospider -s <target> -c 10 -d 3

# API endpoints and docs
curl -s https://<target>/swagger-ui/
curl -s https://<target>/openapi.json
nuclei -u <target_url> -t exposures/apis/graphql.yaml

Third-Party Services (CDN, Auth, Payment)

Check integrations like CDNs, OAuth providers, and payment gateways.

dig <domain>
curl -I <domain> | grep -i "server\|via\|x-cache"
curl -s <target> | grep -i "auth0\|okta\|azure\|oauth"
curl -s <target> | grep -i "stripe\|paypal\|shopify"

PreviousWeb Application Methodology NextGoogle Dorking

Last updated 2 months ago

Was this helpful?

Good afternoon

hashtagWeb Apps Fingerprinting

hashtagPurpose

hashtagHTTP Response Fingerprinting

hashtagError-Message & Database Fingerprinting

hashtagTechnology Stack Identification

hashtagDirectory & File Enumeration

hashtagSource-Code / Client-Side Analysis

hashtagSubdomain Enumeration

hashtagContent & API Discovery

hashtagThird-Party Services (CDN, Auth, Payment)