01. Information Gathering / Footprinting
Methodology
| Layer | Description | Information Categories |
|---|---|---|
| 1. Internet Presence | Identification of internet presence and externally accessible infrastructure. | Domains, Subdomains, vHosts, ASN, Netblocks, IP Addresses, Cloud Instances, Security Measures |
| 2. Gateway | Identify the possible security measures to protect the company's external and internal infrastructure. | Firewalls, DMZ, IPS/IDS, EDR, Proxies, NAC, Network Segmentation, VPN, Cloudflare |
| 3. Accessible Services | Identify accessible interfaces and services that are hosted externally or internally. | Service Type, Functionality, Configuration, Port, Version, Interface |
| 4. Processes | Identify the internal processes, sources, and destinations associated with the services. | PID, Processed Data, Tasks, Source, Destination |
| 5. Privileges | Identification of the internal permissions and privileges to the accessible services. | Groups, Users, Permissions, Restrictions, Environment |
| 6. OS Setup | Identification of the internal components and systems setup. | OS Type, Patch Level, Network config, OS Environment, Configuration files, sensitive private files |
OWASP reference
| ID | WSTG-ID | Test Name | Objectives | Tools |
|---|---|---|---|---|
| 1.1 | WSTG-INFO-01 | Conduct Search Engine Discovery Reconnaissance for Information Leakage | - Identify what sensitive design and configuration information of the application, system, or organization is exposed directly (on the organization's website) or indirectly (via third-party services). | Google Hacking Shodan Recon-ng |
| 1.2 | WSTG-INFO-02 | Fingerprint Web Server | - Determine the version and type of a running web server to enable further discovery of any known vulnerabilities. | Wappalyzer Nikto |
| 1.3 | WSTG-INFO-03 | Review Webserver Metafiles for Information Leakage | - Identify hidden or obfuscated paths and functionality through the analysis of metadata files (robots.txt, tag, sitemap.xml) - Extract and map other information that could lead to a better understanding of the systems at hand. |
Browser Curl Burpsuite/ZAP |
| 1.4 | WSTG-INFO-04 | Enumerate Applications on Webserver | - Enumerate the applications within the scope that exist on a web server. - Find applications hosted in the webserver (Virtual hosts/Subdomain), non-standard ports, DNS zone transfers |
dnsrecon Nmap |
| 1.5 | WSTG-INFO-05 | Review Webpage Content for Information Leakage | - Review webpage comments, metadata, and redirect bodies to find any information leakage. - Gather JavaScript files and review the JS code to better understand the application and to find any information leakage. - Identify if source map files or other front-end debug files exist. |
Browser Curl Burpsuite/ZAP |
| 1.6 | WSTG-INFO-06 | Identify Application Entry Points | - Identify possible entry and injection points through request and response analysis which covers hidden fields, parameters, methods HTTP header analysis | OWASP ASD Burpsuite/ZAP |
| 1.7 | WSTG-INFO-07 | Map Execution Paths Through Application | - Map the target application and understand the principal workflows. - Use HTTP(s) Proxy Spider/Crawler feature aligned with application walkthrough |
Burpsuite/ZAP |
| 1.8 | WSTG-INFO-08 | Fingerprint Web Application Framework | - Fingerprint the components being used by the web applications. - Find the type of web application framework/CMS from HTTP headers, Cookies, Source code, Specific files and folders, Error message. |
Whatweb Wappalyzer CMSMap |
| 1.9 | WSTG-INFO-09 | Fingerprint Web Application | N/A, This content has been merged into: WSTG-INFO-08 | NA |
| 1.10 | WSTG-INFO-10 | Map Application Architecture | - Understand the architecture of the application and the technologies in use. - Identify application architecture whether on Application and Network components: Applicaton: Web server, CMS, PaaS, Serverless, Microservices, Static storage, Third party services/APIs Network and Security: Reverse proxy, IPS, WAF |
WAFW00F Nmap |