Web Application Recon

Step 1 — Manual Recon with curl

Before running automated tools, always manually probe the target. Response headers reveal server software, frameworks, and security misconfigurations.

# Fetch just the headers (-I = HEAD request)
curl -I http://target.com

# Follow redirects and show headers
curl -Lv http://target.com 2>&1 | head -50

# Look for interesting headers:
# Server: Apache/2.4.29  ← version info
# X-Powered-By: PHP/7.2  ← language
# Set-Cookie: PHPSESSID   ← PHP session
# X-Frame-Options: missing ← clickjacking possible

# Check for HTTP methods allowed
curl -X OPTIONS http://target.com -v

# Test for common misconfigurations
curl http://target.com/robots.txt
curl http://target.com/sitemap.xml
curl http://target.com/.git/HEAD
curl http://target.com/phpinfo.php

Step 2 — Technology Detection with WhatWeb

# Basic scan
whatweb http://target.com

# Verbose output showing all plugins
whatweb -v http://target.com

# Aggression level 3 (makes more requests)
whatweb -a 3 http://target.com

# Scan multiple targets from a file
whatweb -i targets.txt

# Output to file
whatweb http://target.com -o results.txt

Step 3 — Directory Busting with Gobuster

# Basic directory scan
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt

# With status code filtering (hide 404s, show interesting ones)
gobuster dir -u http://target.com \
  -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -s 200,301,302,403 \
  -t 50

# Add file extensions
gobuster dir -u http://target.com \
  -w /usr/share/wordlists/dirb/common.txt \
  -x php,html,txt,bak,old,zip

# Follow redirects
gobuster dir -u http://target.com -w wordlist.txt -r

# With authentication cookie
gobuster dir -u http://target.com -w wordlist.txt \
  -c "session=abc123; auth=xyz"

# HTTPS with self-signed cert (ignore TLS errors)
gobuster dir -u https://target.com -w wordlist.txt -k

Step 4 — File Extension Fuzzing

# Focus on backup and config files specifically
gobuster dir -u http://target.com \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
  -x php,bak,old,orig,backup,conf,config,xml,json,sql,log,txt

# High-value targets to always check:
# /backup.zip, /db.sql, /.env, /config.php.bak
# /wp-config.php.bak, /.htaccess, /web.config
curl http://target.com/.env
curl http://target.com/config.php.bak
curl http://target.com/backup.sql

Step 5 — Virtual Host Enumeration

One IP can serve many websites via virtual hosts. Subdomains and vhosts can expose internal apps, staging environments, or admin panels.

# Gobuster vhost mode
gobuster vhost -u http://target.com \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# DNS subdomain brute force
gobuster dns -d target.com \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# With custom resolver
gobuster dns -d target.com -w subdomains.txt -r 8.8.8.8

Step 6 — Nikto Web Scanner

Nikto performs comprehensive web server scanning — checking for dangerous files, outdated software, misconfigurations, and known vulnerabilities.

# Basic Nikto scan
nikto -h http://target.com

# Scan HTTPS
nikto -h https://target.com -ssl

# Scan specific port
nikto -h target.com -p 8080

# Save output
nikto -h http://target.com -o nikto_results.txt -Format txt

# Tuning options (focus on specific checks)
# -T 1 = Interesting files
# -T 2 = Misconfiguration
# -T 4 = Injection
# -T 9 = SQL injection
nikto -h http://target.com -T 1,2,4

Step 7 — ffuf (Fast Web Fuzzer)

ffuf is faster and more flexible than Gobuster. It can fuzz any part of a request — URL paths, parameters, headers, POST data.

# Directory fuzzing (FUZZ is the placeholder)
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt

# Filter out 404s by response size
ffuf -u http://target.com/FUZZ -w wordlist.txt -fs 0

# Filter by status code
ffuf -u http://target.com/FUZZ -w wordlist.txt -mc 200,301,302

# Fuzz GET parameter values
ffuf -u "http://target.com/page.php?id=FUZZ" -w numbers.txt

# Fuzz POST data
ffuf -u http://target.com/login \
  -X POST -d "user=admin&pass=FUZZ" \
  -w /usr/share/wordlists/rockyou.txt \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -fs 1234

Step 8 — robots.txt & Sitemaps

# Always check these first — devs often hide interesting paths here
curl http://target.com/robots.txt
curl http://target.com/sitemap.xml
curl http://target.com/sitemap_index.xml

# Common disallowed paths in robots.txt:
# /admin, /backend, /private, /backup, /old, /test, /staging

# Check Google cache for old versions
# search: cache:target.com in Google

Step 9 — Source Code Review

# View page source in browser: Ctrl+U
# Or with curl:
curl -s http://target.com | grep -i "comment\|TODO\|password\|api_key\|secret"

# Extract all links from a page
curl -s http://target.com | grep -oP 'href="[^"]*"'

# Find JavaScript files (often contain API keys, endpoints)
curl -s http://target.com | grep -oP 'src="[^"]*\.js"'

# Download and analyse JS files
curl -s http://target.com/app.js | grep -i "api\|key\|token\|secret\|password"

# Check if .git directory is exposed (huge find!)
curl http://target.com/.git/HEAD
# If you get "ref: refs/heads/main" — use git-dumper to extract source code
pip3 install git-dumper
git-dumper http://target.com/.git ./source

📋 Web Recon Cheat Sheet