Pentest Recon Attack Surface
Purpose
Perform comprehensive attack surface mapping by correlating three data sources: external network scans, authenticated browser exploration, and source code analysis. Produces a structured endpoint inventory with authorization metadata, role/privilege architecture, and prioritized authorization vulnerability candidates for downstream code review and exploitation.
Prerequisites
Authorization Requirements
- Written authorization with explicit scope for reconnaissance and source code access
- Source code access to the target application (white-box engagement)
- Test accounts at every privilege level (anonymous, user, admin, service)
- Network scan approval — confirm acceptable scan intensity with target owner
Environment Setup
- nmap, subfinder, httpx, whatweb for external reconnaissance
- Playwright with authenticated browser contexts
- katana or gospider for web crawling
- ffuf for content discovery
- semgrep and ripgrep for source code analysis
- Access to deployment configs (Dockerfile, docker-compose, k8s manifests)
Core Workflow
- Technology Fingerprinting: Run whatweb + httpx to identify frameworks, languages, server versions, WAF presence, and response header signatures.
- External Scan Correlation: Execute nmap service scan + subfinder subdomain enumeration. Cross-reference discovered services against deployment configs (docker-compose ports, k8s service definitions) to identify exposed vs internal-only services.
- Interactive Browser Exploration: Authenticated Playwright crawl at each privilege level. Capture all XHR/fetch requests, form submissions, WebSocket connections, and dynamic route transitions. Record request/response pairs with auth context.
- Route Mapper: Parse all backend route definitions from source code with file:line pointers. Extract HTTP method, path pattern, middleware chain, and handler function for every endpoint.
- Authorization Checker: For each route, trace the middleware chain to identify auth/authz enforcement. Flag endpoints missing authentication middleware or with inconsistent authorization patterns.
- Input Validator: Analyze validation logic per parameter — identify parameters with no server-side validation, client-only validation, or incomplete validation (e.g., type check but no range check).
- Session Handler: Trace token lifecycle from issuance through validation to expiry. Map session storage mechanism, token rotation policy, and logout invalidation behavior.
- Authorization Architecture: Synthesize role definitions, permission assignments, and privilege lattice from source code. Identify horizontal/vertical/workflow authorization vulnerability candidates.
Output Deliverables
| Deliverable | Description |
|---|
| API Endpoint Inventory | Table: method, path, auth_required, roles_allowed, validation_summary, file:line |
| Network Interaction Map | External services, internal services, exposed ports, subdomain inventory |
| Role & Privilege Architecture | Role hierarchy, permission matrix, privilege escalation paths |
| Authorization Vulnerability Candidates | Prioritized list of endpoints with suspected authz gaps |
| Session Architecture | Token type, storage, rotation, expiry, invalidation behavior |
Tool Categories
| Category | Tools | Purpose |
|---|
| Fingerprinting | whatweb, httpx, wappalyzer | Technology and framework identification |
| Network Recon | nmap, subfinder, amass | Service discovery and subdomain enumeration |
| Web Crawling | Playwright, katana, gospider | Authenticated crawling and dynamic exploration |
| Content Discovery | ffuf, feroxbuster | Hidden endpoint and directory discovery |
| Code Analysis | semgrep, ripgrep, ast-grep | Route extraction and middleware tracing |
| Config Analysis | manual review | Deployment config correlation |
References
references/tools.md - Tool function signatures and parametersreferences/workflows.md - Reconnaissance workflow definitions and correlation procedures