Menu
Reconnaissance and methodology playbook. Use when mapping assets, discovering endpoints, fingerprinting technology, and building a structured testing plan for a new target.
Business logic vulnerability playbook. Use when reasoning about workflows, race conditions, price manipulation, coupon abuse, state machines, and multi-step authorization gaps.
LLM prompt injection playbook. Use when testing AI/LLM applications for direct injection, indirect injection via RAG/browsing, tool abuse, data exfiltration, MCP security risks, and defense bypass techniques.
SQL injection playbook. Use when input reaches SQL queries, authentication logic, sorting, filtering, reporting, or DB-specific blind and out-of-band execution paths.
SSRF playbook. Use when the server fetches URLs, resolves hostnames, imports remote content, or can be driven toward internal networks, cloud metadata, or secondary protocols.
Unauthorized access playbook for common exposed services. Use when Redis, Rsync, PHP-FPM, AJP/Ghostcat, Hadoop YARN, H2 Console, or similar management interfaces are exposed without authentication.
CRLF injection playbook. Use when user input reaches HTTP response headers, Location redirects, Set-Cookie values, or log files where carriage-return/line-feed characters can split or inject content.
| name | recon-and-methodology |
| description | Reconnaissance and methodology playbook. Use when mapping assets, discovering endpoints, fingerprinting technology, and building a structured testing plan for a new target. |
AI LOAD INSTRUCTION: Systematic recon and bug-finding methodology from top bug hunters. Covers subdomain enumeration, endpoint discovery, tech fingerprinting, and the hunter's mental model for finding bugs that others miss. Key insight: most high-severity bugs are found through systematic coverage, not just clever payloads.
Target Selection
└── Scope Definition (in-scope assets)
└── Asset Discovery (subdomains, IPs, domains)
└── Tech Fingerprinting (what's running)
└── Endpoint Discovery (attack surface)
└── Vulnerability Testing (per vulnerability type)
# Subfinder (aggregates multiple sources):
subfinder -d target.com -o subdomains.txt
# Amass passive:
amass enum -passive -d target.com
# Certsh (certificate transparency):
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u
# SecurityTrails API, Shodan:
# Web: https://securitytrails.com/list/apex_domain/target.com
# Massdns + wordlist:
massdns -r /path/to/resolvers.txt -t A -o S -w output.txt \
<(cat wordlist.txt | sed 's/$/.target.com/')
# ffuf for subdomain brute:
ffuf -w subdomains-wordlist.txt -u https://FUZZ.target.com \
-mc 200,301,302,403 -H "Host: FUZZ.target.com"
# DNSx for bulk resolution:
cat subdomains.txt | dnsx -a -resp -o resolved.txt
# Recommended wordlist: SecLists/Discovery/DNS/
# ffuf vhost mode:
ffuf -w wordlist.txt -u https://target.com \
-H "Host: FUZZ.target.com" -mc 200,301,403
# gobuster vhost:
gobuster vhost -u https://target.com -w wordlist.txt
# Fast port scan (common ports):
nmap -T4 -F target.com -oN ports.txt
# Comprehensive scan on resolved subdomains:
cat resolved_ips.txt | nmap -iL - --open -p 80,443,8080,8443,8888,3000,5000 -oG scan.txt
# httpx for HTTP probing:
cat subdomains.txt | httpx -title -tech-detect -status-code -o live_hosts.txt
# masscan for speed on large IP ranges:
masscan -p 80,443,8080,8443 10.0.0.0/8 --rate=1000
# Wappalyzer (browser extension) or:
whatweb https://target.com
# httpx with tech detection:
httpx -u https://target.com -tech-detect
# Check headers manually:
curl -sI https://target.com | grep -i "server\|x-powered-by\|x-generator\|cf-ray"
# Fingerprint from:
- Server header: nginx/1.18, Apache/2.4, IIS/10.0
- X-Powered-By: PHP/7.4, ASP.NET
- Cookies: PHPSESSID (PHP), JSESSIONID (Java), _rails_session (Rails)
- HTML comments: <!-- Drupal 9 -->
- Meta generator: <meta name="generator" content="WordPress 6.2">
- JS framework files: /static/js/angular.min.js
# ffuf (fastest):
ffuf -u https://target.com/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt \
-mc 200,301,302,403 -t 50 -o dirs.txt
# Gobuster:
gobuster dir -u https://target.com -w wordlist.txt -x php,html,js,json
# feroxbuster (recursive):
feroxbuster -u https://target.com -w wordlist.txt -x php,html,txt -r
# Arjun (hidden parameter finder):
arjun -u https://target.com/api/endpoint
# x8:
x8 -u https://target.com/api/endpoint -w params-wordlist.txt
# Extract endpoints from JS files:
gau target.com | grep '\.js$' | httpx -mc 200 | xargs -I{} curl -s {} | \
grep -oE '"/[a-zA-Z0-9/_-]+"' | sort -u
# LinkFinder:
python3 linkfinder.py -i https://target.com -d -o output.html
# GetAllURLs (gau):
gau target.com | sort -u > all_urls.txt
# Wayback URLs:
waybackurls target.com | sort -u > wayback_urls.txt
# Common API paths:
ffuf -u https://target.com/FUZZ -w /SecLists/Discovery/Web-Content/api/api-endpoints.txt
# Swagger/OpenAPI:
test: /swagger.json /api-docs /openapi.json /v2/api-docs /.well-known/ /docs/
# GraphQL:
test: /graphql /gql /v1/graphql /api/graphql
# trufflehog (secret scanner in git history):
trufflehog git https://github.com/target-org/target-repo
# gitleaks:
gitleaks detect --source /path/to/cloned/repo
# Manual GitHub search:
# site:github.com "target.com" "api_key" OR "secret" OR "password"
# site:github.com "target.com" ".env" OR "config.php" OR "db_password"
# GitHub dorks:
# "target.com" extension:env
# "target.com" filename:*.config password
# org:target-org secret OR password OR apikey
# Check common paths:
https://target.com/.env
https://target.com/.git/config
https://target.com/config.json
https://target.com/config.yaml
https://target.com/credentials.json
https://target.com/secrets.json
https://target.com/wp-config.php
https://target.com/backup.sql
https://target.com/backup.zip
For each input point:
1. Non-malicious HTML tags (<h2>, <img>) → are they reflected?
2. Incomplete tags → what happens? (<iframe src=//evil.com )
3. Encoding tests → %0d, %0a, %09, <%00
4. Observe the OUTPUT too (not just response) — where does your input appear?
5. Test same input in ALL similarly-structured pages (shared code → shared vuln)
6. Check if the same parameter exists in mobile/API endpoint (less protected)
- Each parameter tells a story: "what does this do server-side?"
- Filename → OS interaction → Path Traversal / CMDi
- URL/location → HTTP fetch → SSRF
- Template/HTML parameter → render function → SSTI
- XML field → parser → XXE
- SQL filter → query → SQLi
- User-content → storage → Stored XSS
✓ Programs with large scope (*.target.com)
✓ Programs that pay for P2/P3 (not just RCE)
✓ Programs with recent tech changes (migrations = new bugs)
✓ Programs with active development (new features = new attack surface)
× Avoid: frozen/old codebases with well-known CVEs (already claimed)
× Avoid: strict programs with narrow scope (less surface)
Priority 1: Authentication, password reset, 2FA → account takeover
Priority 2: File upload, profile edit, API endpoints → stored XSS, IDOR
Priority 3: Admin panels, user management → BFLA, privilege escalation
Priority 4: Payment flows, subscription → business logic
Priority 5: Import/export, template rendering → XXE, SSTI
# Run all on target:
nuclei -u https://target.com -t /nuclei-templates/ -o nuclei-results.txt
# Specific categories:
nuclei -u https://target.com -t cves/ -severity critical,high
nuclei -u https://target.com -t exposures/
nuclei -u https://target.com -t misconfiguration/
# On subdomain list:
cat subdomains.txt | nuclei -t exposures/ -t misconfiguration/ -o exposed.txt
□ CORS: Access-Control-Allow-Origin: * with credentials → CSRF + data theft
□ S3 bucket public: curl https://target.s3.amazonaws.com/
□ Directory listing: response contains "Index of /"
□ .git exposed: curl https://target.com/.git/config
□ .env exposed: curl https://target.com/.env
□ Debug mode: stack traces in production (source code exposure)
□ Default credentials: admin:admin, admin:password on admin panels
□ phpinfo.php: curl https://target.com/phpinfo.php
□ Backup files: config.bak, database.sql.gz, app.zip
□ GraphQL introspection enabled: POST /graphql {"query":"{__schema{types{name}}}"}
□ Admin panels: /admin /manager /console /phpmyadmin /wp-admin
| Category | Tool |
|---|---|
| Subdomain enum | subfinder, amass, massdns |
| Port scan | nmap, masscan |
| HTTP probe | httpx |
| Dir brute | ffuf, feroxbuster, gobuster |
| JS mining | LinkFinder, gau, waybackurls |
| Secret scan | trufflehog, gitleaks |
| Parameter fuzz | arjun, x8 |
| Vuln scan | nuclei |
| Proxy/intercept | Burp Suite Pro |
| JWT attacks | jwt_tool |
| SQLi | sqlmap |
| XSS | dalfox, XSStrike |
| SSRF | SSRFmap, Gopherus |
| Middleware | Detection Path | Key Indicators |
|---|---|---|
| Apache Tomcat | /manager/html, /manager/status | Default creds: tomcat:tomcat, admin:admin |
| JBoss / WildFly | /jmx-console/, /web-console/ | JMX MBean access, WAR deployment |
| WebLogic | /console/, /wls-wsat/ | T3 protocol on 7001/7002, IIOP |
| Spring Boot Actuator | /actuator/, /actuator/env, /actuator/heapdump | JSON endpoint listing, heap dump contains secrets |
| Spring Boot (alt paths) | /actuator/jolokia, /actuator/gateway/routes | Jolokia JMX bridge, Gateway route injection |
| Jenkins | /script, /manage | Groovy console, API token in cookie |
| GlassFish | /common/, /theme/ | Admin on 4848, default empty password |
| Jetty | /jolokia/ | JMX access |
| Resin | /resin-admin/ | Admin panel |
/actuator/env → Leak environment variables (DB creds, API keys)
/actuator/heapdump → Download JVM heap → search for passwords in memory
/actuator/jolokia → JMX → possible RCE via MBean manipulation
/actuator/gateway/routes → Spring Cloud Gateway → SpEL injection (CVE-2022-22947)
/actuator/configprops → All configuration properties
/actuator/mappings → All URL mappings (hidden endpoints)
/actuator/beans → All Spring beans
/actuator/threaddump → Thread dump (may leak session tokens / secrets in stack frames)
/.git/HEAD → Git repository exposed
/.svn/entries → SVN metadata
/.svn/wc.db → SVN SQLite database
/.hg/requires → Mercurial
/.bzr/README → Bazaar
/.DS_Store → macOS directory listing
/backup.zip /backup.tar.gz /backup.sql
/wwwroot.rar /www.zip /web.zip
/db.sql /database.sql /dump.sql
/config.php.bak /config.php~ /config.php.swp
/.config.php.swp /wp-config.php.bak
/.env /.env.bak /.env.production
/swagger-ui.html → Swagger/OpenAPI
/swagger-ui/ → Swagger UI
/api-docs → API documentation
/graphql → GraphQL playground
/graphiql → GraphQL IDE
/debug/ → Debug endpoints
/phpinfo.php → PHP configuration
/server-status → Apache status
/server-info → Apache info
/nginx_status → Nginx status
/.aws/credentials → AWS credentials
/.docker/config.json → Docker registry auth
/robots.txt → Disallowed paths (hint list)
/sitemap.xml → Full URL listing
/crossdomain.xml → Flash cross-domain policy
/.well-known/ → Various well-known URIs