Introduction to Web Application Reconnaissance

Before launching any attack against a web application, a skilled penetration tester gathers information. This reconnaissance phase, often called "recon," lays the foundation for everything that follows. The quality of your reconnaissance directly determines the quality of your testing, because you cannot attack what you don't know exists.

The Philosophy of Reconnaissance

Reconnaissance is about building a mental model of your target. You want to understand not just what the application does, but how it does it. What technologies power the backend? Who built it, and when? What third-party services does it integrate with? How has it evolved over time? Each piece of information adds to your understanding and opens new avenues for investigation.

Think of reconnaissance as detective work. Sometimes a single clue leads nowhere, but combined with other findings, it reveals significant vulnerabilities. An old forum post mentioning a specific version of software, combined with knowledge of that version's known vulnerabilities, can lead directly to a successful exploit.

Passive vs Active Reconnaissance

The distinction between passive and active reconnaissance is crucial, especially in professional engagements where scope and authorization matter. Passive reconnaissance involves gathering information without directly touching the target systems. you're reading public information, searching archives, and analyzing data that's already freely available. The target has no way of knowing you're investigating them.

Active reconnaissance, by contrast, directly interacts with target systems. Scanning for open ports, fuzzing directories, or sending test requests to the application all fall into this category. Active techniques gather more detailed information but leave traces in logs and can trigger security alerts.

Professional engagements often restrict active reconnaissance during certain phases, so mastering passive techniques is essential. Moreover, passive reconnaissance sometimes reveals vulnerabilities that active scanning would miss entirely, such as leaked credentials in code repositories or sensitive documents indexed by search engines.

Building Your Target Profile

Effective reconnaissance produces what security professionals call a target profile. This document or mental model includes technical details like IP addresses, domain names, and technology stacks, but also organizational information like employee names, email formats, and business processes.

Start with the obvious: the target's main website. Read through it carefully, noting anything that might be relevant. Job postings reveal what technologies the company uses. Contact pages list employee names and email formats. News and press releases announce partnerships, acquisitions, and new product launches that expand the attack surface.

From there, expand outward. Who owns the domain? What other domains do they own? What subdomains exist? What did the site look like six months ago, before they patched those vulnerabilities? Each question leads to new sources of information and new opportunities for discovery.