# 4.1 Information Gathering

## [Information Gathering](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/README)

## 4.1.1 [Conduct Search Engine Discovery Reconnaissance for Information Leakage](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/01-Conduct_Search_Engine_Discovery_Reconnaissance_for_Information_Leakage)

```bash
site:<DOMAIN>
cache:<URL>
site: <DOMAIN> (filetype:pdf OR filetype:doc OR filetype:docx OR filetype:xlsx)
theHarvester -b all -d <DOMAIN>
```

**Evidence**:

```
​
```

## 4.1.2 [Fingerprint Web Server](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server)

* [ ] Wappalyzer: Server results
* [ ] Look for `Server` headers in the response
* [ ] `sudo nmap -sS -p- -sV -sC -O <DOMAIN> -oN Documents/Audits/nmap.txt`
* [ ] `whatweb <URL>`
* [ ] HTTPX

```bash
httpx -u <URL> -silent -title -follow-redirects -status-code -server -ip -content-length -tech-detect -asn -cdn -threads 100
```

* [ ] Check if the server is running on Azure, Google or AWS infrastructure: `dig <DOOMAIN>`

**Evidence**:

```
​
```

## 4.1.3 [Review Webserver Metafiles for Information Leakage](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/03-Review_Webserver_Metafiles_for_Information_Leakage)

* [ ] **Metadata files** (robots.txt,sitemaps.xml,security.txt,humans.txt,.well-known)

```bash
echo -ne 'robots.txt\nsitemaps.xml\nsecurity.txt\nhumans.txt\n.well-known\n.git' | xargs -I {} bash -c 'echo -n "{}: ";curl -k -sq -D - "https://<DOMAIN>/{}" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" | head -n 1'
```

* Wordpress Meta Data files

```bash
# Contiene información como la versión de Wordpress instalada.
/license.txt
/readme.html
​
#  Se utiliza para el proceso de activación por correo electrónico al configurar un nuevo sitio de WordPress.
/wp-activate.php
# Permite a un usuario crearse una cuenta.
/wp-signup.php 
​
/wp-admin/maint/repair.php
/wp-admin/maint/install.php
/wp-admin/upgrade.php
/wp-links-opml.php
/wp-content
​
# El directorio principal donde se almacenan los plugins y los temas.
/wp-content/uploads/
​
# El directorio donde se almacenan los archivos subidos a la plataforma.
/wp-includes/
​
# Es el directorio donde se almacenan los archivos principales, como certificados, fuentes, archivos JavaScript y widgets.
/wp-includes/wlwmanifest.xml
​
# Este endpoint se utiliza para la funcionalidad XML-RPC y puede ser objetivo de ataques de fuerza bruta.
/xml-rpc.php 
# Este endpoint se utiliza para programar cron jobs y puede ser objetivo de ataques de Denegación de Servicio Distribuido (DDoS).
/wp-cron.php
```

* [ ] **Meta tags**

```
# Search for tags on burpsuite
​
# Use the following command
curl -sq <URL> -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" | grep -i '<meta'
```

**Evidence**:

```
​
```

## 4.1.4 [Enumerate Applications on Webserver](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/04-Enumerate_Applications_on_Webserver)

* [ ] **Non-Standard Ports**

```bash
sudo nmap -sT -p- -sV -sC -O <DOMAIN> -oN Documents/Audits/nmap.txt
```

* [ ] **Different Base URLs**

```bash
ffuf -ac -w <WORDLIST> -of md -o base_URLs.txt -t 60 [-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36"] -u <https://WEBSITE.COM/FUZZ> 
```

* [ ] **Virtual hosts**

```bash
ffuf -ac -w /usr/share/wordlists/TopDomais/subdomains-10000.txt  -of md -o virtual_hosts.md [-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36"]  -u <URL> -H "Host: FUZZ.<DOMAIN>"
```

**Evidence**:

```
​
```

## 4.1.5 [Review Webpage Content for Information Leakage](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Webpage_Content_for_Information_Leakage)

* [ ] **metadata files or meta tags** -> Section 4.1.3.
* [ ] **comments:** On BurpSuite `Taget/SiteMap/<TARGET>/Engament Tools/Find Comments`
* [ ] **JS Files**: On BurpSuite `Taget/SiteMap/<TARGET>/Engament Tools/Find Scripts` or output from "JS Miner"
* [ ] Mantra

```bash
# Obtain links from burpsuite: Sitmap
cat /tmp/burplinks.txt | sort -u | uro | mantra | tee mantra.txt
```

* [ ] Check meta data information in files stored on the web application

```bash
exiftool * | grep -Ei 'Title|Subject|Author|Comments|Software|Company|Manager|Hyperlinks|User|device|creator|Application' | sort -u
```

**Evidence**:

```
​
```

## 4.1.6 [Identify Application Entry Points](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/06-Identify_Application_Entry_Points)

* [ ] Requests
  * [ ] Identify where GETs are used and where POSTs are used.
  * [ ] Identify all parameters used in a POST request (these are in the body of the request).
  * [ ] Identify all the parameters used in a GET request..
  * [ ] Also pay attention to any additional or custom type headers not typically seen (such as `debug: false`).
* [ ] Responses
  * [ ] Identify where new cookies are set (`Set-Cookie` header), modified, or added to.
  * [ ] Identify where there are any redirects (3xx HTTP status code), 400 status codes, in particular 403 Forbidden, and 500 internal server errors during normal responses (i.e., unmodified requests).
  * [ ] Also note where any interesting headers are used.
* [ ] Show Sitemap links obtained from the previous sections.

**Evidence**:

```
​
```

## 4.1.7 [Map Execution Paths Through Application](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/07-Map_Execution_Paths_Through_Application)

Map the target application and understand the principal workflows:

* [ ] **Path** - test each of the paths through an application that includes combinatorial and boundary value analysis testing for each decision path. While this approach offers thoroughness, the number of testable paths grows exponentially with each decision branch.
* [ ] **Data Flow (or Taint Analysis)** - tests the assignment of variables via external interaction (normally users). Focuses on mapping the flow, transformation and use of data throughout an application.
* [ ] **Race** - tests multiple concurrent instances of the application manipulating the same data.
* [ ] Sitemap and HTTP History screenshots

**Evidence**:

```
​
```

## 4.1.8 [Fingerprint Web Application Framework](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework)

Fingerprint the components being used by the web applications, more related to client side.

* [ ] Wappalyzer output

**Evidence**:

```
​
```

## 4.1.10 [Map Application Architecture](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/10-Map_Application_Architecture)

Discover if the application uses Nginx, apache, PHP, Tomcat, MySQL, Oracle. To do so, enumerate and interact with the application.

**Evidence**:

```
​
```