7.0.Web-Application-Analysis.md

Web Application Analysis

Table of Contents

• Information Gathering
  • DNS Enumeration
  • Subdomain Enumeration
  • Virtual Host Discovery
  • Directory Enumeration
  • Technology Fingerprinting
  • Crawling & Scraping
• Web Vulnerabilities
• Web Shells
• CMS Enumeration
• OSINT Resources

---

Information Gathering

Quick Check (One-liner)

# Quick web recon
whatweb -a 3 http://$rhost && gobuster dir -u http://$rhost -w /usr/share/seclists/Discovery/Web-Content/common.txt -q

DNS Enumeration

Basic DNS Queries

# A record
nslookup $domain
nslookup -query=A $domain
dig $domain @$ns
dig a $domain @$ns

# AAAA record (IPv6)
dig aaaa $domain @$ns

# Any record
nslookup -query=ANY $domain
dig any $domain @$ns

# MX record (mail)
nslookup -query=MX $domain
dig mx $domain @$ns

# TXT record
nslookup -query=TXT $domain
dig txt $domain @$ns

# NS record (nameserver)
dig ns $domain @$ns

# SOA record
dig soa $domain @$ns

# PTR record (reverse)
nslookup -query=PTR $rhost
dig -x $rhost @$ns

Zone Transfer

dig axfr $domain @$ns
nslookup -type=any -query=AXFR $domain $ns
host -t axfr $domain $ns

DNSRecon

dnsrecon -d $domain
dnsrecon -d $domain -t axfr
dnsrecon -d $domain -t std
dnsrecon -d $domain -D /path/to/wordlist -t brt

DNSEnum

dnsenum $domain
dnsenum --dnsserver $ns -f /path/to/wordlist $domain

Fierce

fierce --domain $domain
fierce --domain $domain --dns-servers $ns

---

Subdomain Enumeration

Passive Enumeration

# Certificate Transparency
curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq -r '.[].name_value' | sort -u

# Subfinder
subfinder -d $domain
subfinder -d $domain -o subdomains.txt

# Amass
amass enum -d $domain
amass enum -passive -d $domain
amass enum -brute -d $domain -w /path/to/wordlist

# theHarvester
theHarvester -d $domain -b all
theHarvester -d $domain -b google,bing,crtsh

Active Enumeration

# Gobuster DNS
gobuster dns -d $domain -w /path/to/wordlist
gobuster dns -d $domain -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# FFuF
ffuf -w /path/to/wordlist -u http://FUZZ.$domain -ac
ffuf -w /path/to/wordlist -u http://FUZZ.$domain -mc 200,301,302

# Massdns
massdns -r resolvers.txt -t A -o S subdomains.txt -w results.txt

---

Virtual Host Discovery

# FFuF
ffuf -w /path/to/wordlist -u http://$rhost -H "Host: FUZZ.$domain" -ac
ffuf -w /path/to/wordlist -u http://$rhost -H "Host: FUZZ.$domain" -fs 185
ffuf -w /path/to/wordlist -u http://$rhost -H "Host: FUZZ.$domain" -fw 10

# Gobuster
gobuster vhost -u http://$rhost -w /path/to/wordlist
gobuster vhost -u http://$rhost -w /path/to/wordlist --append-domain

# cURL
curl -s http://$rhost -H "Host: dev.$domain"

---

Directory Enumeration

Gobuster

gobuster dir -u http://$rhost -w /path/to/wordlist
gobuster dir -u http://$rhost -w /path/to/wordlist -x php,txt,html
gobuster dir -u http://$rhost -w /path/to/wordlist -t 50 -e -k
gobuster dir -u http://$rhost -w /path/to/wordlist -b 403,404

FFuF

ffuf -w /path/to/wordlist -u http://$rhost/FUZZ -ac
ffuf -w /path/to/wordlist -u http://$rhost/FUZZ -e .php,.txt,.html
ffuf -w /path/to/wordlist -u http://$rhost/FUZZ -mc 200,301,302,403
ffuf -w /path/to/wordlist -u http://$rhost/FUZZ -fc 404
ffuf -w /path/to/wordlist -u http://$rhost/FUZZ -recursion -recursion-depth 2

Feroxbuster

feroxbuster -u http://$rhost -w /path/to/wordlist
feroxbuster -u http://$rhost -w /path/to/wordlist -x php,txt
feroxbuster -u http://$rhost -w /path/to/wordlist --depth 3

Dirsearch

dirsearch -u http://$rhost
dirsearch -u http://$rhost -e php,txt,html
dirsearch -u http://$rhost -w /path/to/wordlist

Common Wordlists

/usr/share/wordlists/dirb/common.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/usr/share/seclists/Discovery/Web-Content/common.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt

---

Technology Fingerprinting

WhatWeb

whatweb http://$rhost
whatweb -v http://$rhost
whatweb -a 3 http://$rhost  # Aggressive mode

HTTP Headers

curl -I http://$rhost
curl -s -I http://$rhost | grep -i "server\|x-powered-by\|x-aspnet"

WAF Detection

wafw00f http://$rhost
wafw00f -a http://$rhost  # Check all WAFs

Nikto

nikto -h http://$rhost
nikto -h http://$rhost -Tuning x

---

Crawling & Scraping

# Hakrawler
echo http://$rhost | hakrawler
echo http://$rhost | hakrawler -d 2

# GoSpider
gospider -s http://$rhost
gospider -s http://$rhost -d 2 -o output

# Katana
katana -u http://$rhost
katana -u http://$rhost -d 3 -o output.txt

# Wayback Machine
waybackurls $domain > wayback_urls.txt

# Extract Links
curl -s http://$rhost | grep -oP 'href="\K[^"]+' | sort -u
curl -s http://$rhost | grep -oP 'src="\K[^"]+' | sort -u

---

Web Vulnerabilities

For detailed exploitation techniques, see dedicated cheatsheets:

Vulnerability	Cheatsheet
SQL Injection	7.1.SQL-Injection.md
Cross-Site Scripting (XSS)	7.2.Cross-Site-Scripting.md
File Inclusion (LFI/RFI)	7.3.File-Inclusion.md
Command Injection	7.4.Command-Injection.md
SSRF	7.5.SSRF.md
SSTI	7.6.SSTI.md
XXE	7.7.XXE.md
File Upload	7.8.File-Upload.md
HTTP Request Smuggling	7.9.HTTP-Request-Smuggling.md
IDOR & Access Control	7.10.IDOR-Access-Control.md
CSRF	7.11.CSRF.md
Insecure Deserialization	7.12.Insecure-Deserialization.md
Git Hacking	7.13.Git-Hacking.md
NoSQL Injection	7.14.NoSQL-Injection.md
JWT Attacks	7.15.JWT-Attacks.md
Race Condition	7.16.Race-Condition.md
Prototype Pollution	7.17.Prototype-Pollution.md
OAuth Vulnerabilities	7.18.OAuth-Vulnerabilities.md
WebSocket Attacks	7.19.WebSocket-Attacks.md
Mass Assignment	7.20.Mass-Assignment.md

---

Web Shells

PHP Filter Chain Generator

For LFI to RCE via PHP filter chains, see: File Inclusion - PHP Filter Chain

PHP Upload Filter Bypasses

.pht
.phtml
.phP
.Php
.php3
.php4
.php5
.php7
.phar
.php%00.jpeg
<FILE>.php%20
<FILE>.php%0a
<FILE>.php.jpg
<FILE>.php%00.gif

---

CMS Enumeration

WPScan

wpscan --url https://$rhost --enumerate u,t,p
wpscan --url https://$rhost --plugins-detection aggressive
wpscan --url https://$rhost --disable-tls-checks
wpscan --url http://$rhost -U <USERNAME> -P passwords.txt -t 50

CMS Detection

# WordPress
curl -s http://$rhost/wp-config.php
curl -s http://$rhost/wp-login.php

# Drupal
curl -s http://$rhost/CHANGELOG.txt
curl -s http://$rhost/core/CHANGELOG.txt

# Joomla
curl -s http://$rhost/administrator/
curl -s http://$rhost/README.txt

---

OSINT Resources

Category	Resource	URL
Subdomain	crt.sh	https://crt.sh
Subdomain	Censys	https://censys.io
DNS History	SecurityTrails	https://securitytrails.com
DNS History	DNSDumpster	https://dnsdumpster.com
Web Archive	Wayback Machine	https://web.archive.org
IP/Network	Shodan	https://www.shodan.io
IP/Network	ZoomEye	https://www.zoomeye.org

---

Quick Reference

Task	Command
DNS Zone Transfer	dig axfr $domain @$ns
Subdomain Brute	gobuster dns -d $domain -w wordlist
VHost Discovery	ffuf -u http://$rhost -H "Host: FUZZ.$domain" -w wordlist
Dir Enumeration	ffuf -u http://$rhost/FUZZ -w wordlist
Tech Detection	whatweb http://$rhost
Crawling	katana -u http://$rhost

---

See Also

Related Web Vulnerability Guides

• SQL Injection - SQLMap, manual injection techniques
• File Inclusion - LFI, RFI, log poisoning
• Command Injection - OS command injection
• SSRF - Server-Side Request Forgery
• SSTI - Server-Side Template Injection
• File Upload - Web shell upload techniques

Related Resources

• Port Scanning - HTTP/HTTPS service detection
• Wordlist Guide - Directory and subdomain wordlists