---
name: pentest-recon-attack-surface
description: White-box attack surface mapping — correlate external scans, browser exploration, and source code into structured endpoint inventory, role architecture, and authorization vulnerability candidates.
---

# Pentest Recon Attack Surface

## Purpose
Perform comprehensive attack surface mapping by correlating three data sources: external network scans, authenticated browser exploration, and source code analysis. Produces a structured endpoint inventory with authorization metadata, role/privilege architecture, and prioritized authorization vulnerability candidates for downstream code review and exploitation.

## Prerequisites

### Authorization Requirements
- **Written authorization** with explicit scope for reconnaissance and source code access
- **Source code access** to the target application (white-box engagement)
- **Test accounts** at every privilege level (anonymous, user, admin, service)
- **Network scan approval** — confirm acceptable scan intensity with target owner

### Environment Setup
- nmap, subfinder, httpx, whatweb for external reconnaissance
- Playwright with authenticated browser contexts
- katana or gospider for web crawling
- ffuf for content discovery
- semgrep and ripgrep for source code analysis
- Access to deployment configs (Dockerfile, docker-compose, k8s manifests)

## Core Workflow
1. **Technology Fingerprinting**: Run whatweb + httpx to identify frameworks, languages, server versions, WAF presence, and response header signatures.
2. **External Scan Correlation**: Execute nmap service scan + subfinder subdomain enumeration. Cross-reference discovered services against deployment configs (docker-compose ports, k8s service definitions) to identify exposed vs internal-only services.
3. **Interactive Browser Exploration**: Authenticated Playwright crawl at each privilege level. Capture all XHR/fetch requests, form submissions, WebSocket connections, and dynamic route transitions. Record request/response pairs with auth context.
4. **Route Mapper**: Parse all backend route definitions from source code with file:line pointers. Extract HTTP method, path pattern, middleware chain, and handler function for every endpoint.
5. **Authorization Checker**: For each route, trace the middleware chain to identify auth/authz enforcement. Flag endpoints missing authentication middleware or with inconsistent authorization patterns.
6. **Input Validator**: Analyze validation logic per parameter — identify parameters with no server-side validation, client-only validation, or incomplete validation (e.g., type check but no range check).
7. **Session Handler**: Trace token lifecycle from issuance through validation to expiry. Map session storage mechanism, token rotation policy, and logout invalidation behavior.
8. **Authorization Architecture**: Synthesize role definitions, permission assignments, and privilege lattice from source code. Identify horizontal/vertical/workflow authorization vulnerability candidates.

## Output Deliverables

| Deliverable | Description |
|-------------|-------------|
| API Endpoint Inventory | Table: method, path, auth_required, roles_allowed, validation_summary, file:line |
| Network Interaction Map | External services, internal services, exposed ports, subdomain inventory |
| Role & Privilege Architecture | Role hierarchy, permission matrix, privilege escalation paths |
| Authorization Vulnerability Candidates | Prioritized list of endpoints with suspected authz gaps |
| Session Architecture | Token type, storage, rotation, expiry, invalidation behavior |

## Tool Categories

| Category | Tools | Purpose |
|----------|-------|---------|
| Fingerprinting | whatweb, httpx, wappalyzer | Technology and framework identification |
| Network Recon | nmap, subfinder, amass | Service discovery and subdomain enumeration |
| Web Crawling | Playwright, katana, gospider | Authenticated crawling and dynamic exploration |
| Content Discovery | ffuf, feroxbuster | Hidden endpoint and directory discovery |
| Code Analysis | semgrep, ripgrep, ast-grep | Route extraction and middleware tracing |
| Config Analysis | manual review | Deployment config correlation |

## References
- `references/tools.md` - Tool function signatures and parameters
- `references/workflows.md` - Reconnaissance workflow definitions and correlation procedures