diff --git a/recon/webapp_recon.md b/recon/webapp_recon.md
new file mode 100644
index 0000000..e229ae5
--- /dev/null
+++ b/recon/webapp_recon.md
@@ -0,0 +1,49 @@
+# Web Application Security Testing Methodology
+
+## 1. Mapping the Application
+
+Mapping the application is a critical initial phase in security testing. It involves understanding the visible and underlying structure of the application to effectively tailor the testing strategy.
+
+### Explore Visible Content
+- **Objective**: Identify all publicly accessible endpoints and files.
+- **Methods**: Use tools like web crawlers and directory brute forcing tools.
+
+### Consult Public Resources
+- **Objective**: Gather information from publicly available sources.
+- **Methods**: Check documentation, forums, and other related publications.
+
+### Discover Hidden Content
+- **Objective**: Uncover potentially hidden or non-indexed directories and files.
+- **Methods**: Employ tools that perform forced browsing and directory listing.
+
+### Discover Default Content
+- **Objective**: Identify common or default files and directories.
+- **Methods**: Use lists of known default installation paths and filenames.
+
+### Enumerate Identifier-Specified Functions
+- **Objective**: Determine the functionality exposed through URL parameters or function-specific paths.
+- **Methods**: Analyze URL patterns and parameter names for hints of underlying functionality.
+
+### Test for Debug Parameters
+- **Objective**: Discover any leftover or undocumented debug parameters that could expose sensitive information.
+- **Methods**: Attempt common debug parameter names and observe responses for changes in behavior or information disclosure.
+
+## 2. Analyze the Application
+
+This step involves a deeper analysis of the application's build and behavior to identify potential security vulnerabilities.
+
+### Identify Functionality
+- **Objective**: Catalog all functions the application performs.
+- **Methods**: Systematic usage and testing of all features.
+
+### Identify Data Entry Points
+- **Objective**: List all points where user input is accepted.
+- **Methods**: Review forms, API endpoints, and any other interfaces.
+
+### Identify the Technologies Used
+- **Objective**: Determine all underlying technologies (frameworks, libraries, servers).
+- **Methods**: HTTP headers, file extensions, and error messages can reveal software versions and types.
+
+### Map the Attack Surface
+- **Objective**: Understand all areas of the application that can potentially be attacked.
+- **Methods**: Combine the information from functionality, data entry points, and technology identification to visualize the complete attack surface.