- **Explore Visible Content**: This involves manually reviewing the application and using automated tools to discover all the visible resources, such as public-facing URLs, documents, and media files. Tools like web crawlers are often used here to automate the discovery process.
- **Consult Public Resources**: Here, the tester looks at documentation, code repositories, forums, and other publicly available sources to gather additional information about the application's structure and potential vulnerabilities. This might include finding developer comments in public code repositories or configuration snippets in technical forums.
- **Discover Hidden Content**: Tools and techniques are used to uncover hidden or unlinked sections of the application, such as admin interfaces or staging versions. This could involve using tools that perform forced browsing or directory brute-forcing.
- **Discover Default Content**: Identifying default installations and configurations that are often overlooked and not removed by developers. For example, default admin panels or configuration files that come with software packages.
- **Enumerate Identifier-Specified Functions**: Analyzing how the application responds to various manipulations of URL parameters or path names, which might reveal additional functionality or hidden debugging parameters.
- **Test for Debug Parameters**: Searching for parameters that developers might have left in the application which could expose sensitive information if triggered, such as `?debug=true`.
- **Identify Functionality**: Understanding exactly what the application does, its key features, and functionality. This includes cataloging all operations the application can perform, from user data processing to internal API communications.
- **Identify Data Entry Points**: Recognizing all the points where the application receives input from the users, which could be through forms, API endpoints, or even through the URL. Each entry point represents a potential vector for attacks like SQL injection or cross-site scripting.
- **Identify the Technologies Used**: Determining the software stack upon which the application is built, including the web server, frameworks, libraries, and third-party plugins. This information is crucial as it allows testers to focus on known vulnerabilities specific to these technologies.
- **Map the Attack Surface**: Integrating all the gathered information to outline the complete attack surface of the application. This includes all possible points where an attacker could try to exploit vulnerabilities.
