Only Specific URLs are part of Scope. This usually includes staging/dev/testing or single URLs.
Directory Enumeration
Technology Fingerprinting
Port Scanning
Parameter Fuzzing
Wayback History
Known Vulnerabilities
Hardcoded Information in JavaScript
Domain Specific GitHub & Google Dorking
Broken Link Hijacking
Data Breach Analysis
Misconfigured Cloud Storage
Usually the scope is wild card scope where all the subdomains are part of scope
Subdomain Enumeration
Subdomain Takeover
Probing & Technology Fingerprinting
Template Based Scanning (Nuclei/Jeales)
GitHub Reconnaissance
Google Dorking
Internet Search Engine Discovery (Shodan, Censys, Spyse, etc.)
IP Range Enumeration (If in Scope)
Potential Pattern Extraction with GF and automating further for XSS, SSRF, etc.
Heartbleed Scanning
General Security Misconfiguration Scanning
Everything related to the Organization is a part of Scope. This includes child companies, subdomains or any labelled asset owned by organization.
Tracking & Tracing every possible signatures of the Target Application (Often there might not be any history on Google related to a scope target, but you can still crawl it.)
Subsidiary & Acquisition Enumeration (Depth – Max)
Reverse Lookup
ASN & IP Space Enumeration and Service Identification
And any possible Recon Vector (Network/Web) can be applied.
Last updated 1 year ago