eWPTv2
GitHubPortfolioTwitter/XMediumCont@ctHome
  • 📝eWPTv2
    • 1️⃣​1 - Introduction to Web App Security Testing
      • 1.1 Web Application
      • 1.2 Web App Architecture
      • 1.3 HTTP/HTTPS
      • 1.4 Web App Pentesting Methodology
    • 2️⃣2 - Web Fingerprinting and Enumeration
      • 2.1 Information Gathering
        • 2.1.1 DNS Recon
          • 2.1.1.1 DNS Zone Transfer
          • 2.1.1.2 Subdomain Enumeration
        • 2.1.2 WAF Recon
      • 2.2 Passive Crawling & Spidering
      • 2.3 Web Server Fingerprinting
        • 2.3.1 File & Directory Brute-Force
    • 3️⃣3 - Web Proxies
      • 3.1 Burp Suite
      • 3.2 OWASP ZAP
    • 4️⃣4 - Cross-Site Scripting (XSS)
      • 4.1 XSS Anatomy
      • 4.2 Reflected XSS
      • 4.3 Stored XSS
      • 4.4 DOM-Based XSS
      • 4.5 Identifying & Exploiting XSS with XSSer
    • 5️⃣5 - ​SQL Injection (SQLi)
      • 5.1 DB & SQL Introduction
      • 5.2 SQL Injection (SQLi)
      • 5.3 In-Band SQLi
      • 5.4 Blind SQLi
      • 5.5 NoSQL
      • 5.6 SQLMap
      • 5.7 Mitigation Strategies
    • 6️⃣6 - ​Common Attacks
      • 6.1 HTTP Attacks
        • 6.1.1 HTTP Method Tampering
        • 6.1.2 Attacking HTTP Authentication
      • 6.2 Session Attacks
        • 6.2.1 Session Hijacking
        • 6.2.2 Session Fixation
        • 6.2.3 Session Hijacking via Cookie Tampering
      • 6.2 CSRF
      • 6.3 Command Injection
    • 7️⃣7 - ​File & Resource Attacks
      • 7.1 File Upload Vulnerability
      • 7.2 Directory Traversal
      • 7.3 File Inclusion (LFI and RFI)
        • 7.3.1 Local File Inclusion (LFI)
        • 7.3.2 Remote File Inclusion (RFI)
    • 8️⃣8 - CMS Pentesting
      • 8.1 - Wordpress & Drupal
    • 9️⃣9 - Encoding, Filtering & Evasion
      • 9.1 - Obfuscating attacks using encodings
    • 📄Report
      • How to write a PT Report
  • 🛣️RoadMap / Exam Preparation
  • 📔eWPT Cheat Sheet
Powered by GitBook
On this page
  • Crawling
  • Spidering
  • Spidering with OWASP ZAP
  1. eWPTv2
  2. 2 - Web Fingerprinting and Enumeration

2.2 Passive Crawling & Spidering

Previous2.1.2 WAF ReconNext2.3 Web Server Fingerprinting

Last updated 1 year ago

Crawling and Spidering are techniques used to automatically browse and index web content, typically performed by search engines or web crawlers. Here's a breakdown of each:

Crawling

  • Crawling is the process of systematically browsing the web to discover and index web pages.

  • A crawler, also known as a web spider or web robot, starts with a list of seed URLs and then follows hyperlinks from one page to another, recursively.

  • Crawlers retrieve web pages, extract links from them, and add new URLs to their queue for further crawling.

  • They often adhere to a set of rules specified in a file called robots.txt to determine which parts of a website they are allowed to crawl and index.

  • We can utilize 's passive crawler to map out the web app and understand its structure (navigating on website an retrieve the site map).

Spidering

  • Spidering is a term often used interchangeably with crawling, referring to the automated process of fetching web pages and following links.

  • It derives from the analogy of a spider weaving a web by moving from one location to another and creating connections.

  • Spidering involves systematically traversing the web, exploring web pages and their links to index content for search engines or other purposes.

  • Spidering algorithms may vary based on the specific objectives, such as optimizing for depth-first or breadth-first traversal, or prioritizing certain types of content.

  • We can utilize Burp Suite Pro or 's Spider to automate the process of spidering a web application to map out the web app and understand its structure.

Spidering with OWASP ZAP

  • Abilitate Foxy Proxy on browser (Firefox)

  • Refresh webpage to retrieve Sites Link on ZAP

  • Click on Tools -> Spider

  • Select URL and abilitate recurse

  • Start Scan

We obtained more URIs and we can save them into .csv format for a better exportation and manipulation.

📝
2️⃣
Burp Suite
OWASP ZAP