Recon

GraphQL wordlists

The team from Escape did a great work extracting words from over 60,000 GraphQL schemas and compiled wordlists that we can all reliably use for brute-forcing GraphQL. It’s divided into separate categories for different contexts like queryField or argument....

Nuclei Foundation series

The ProjectDiscovery channel now features a series of videos explaining how to use Nuclei, a tool that needs no introduction. The videos are created by PwnFunction so the quality is absolutely top-notch!...

Recon – tools for wildcard scope vs open scope

In the survey I mentioned in the intro, a lot of you said that you struggle with recon and you’d like more tips about that. Here is a great article by Golden where he wrote down concrete tools that he uses for recon. What I like about it is how he divided which ones...

xnLinkFinder

xnLinkFinder is a great tool that can extract links for a given target. It can consume a URL, local files or Burp/OWASP ZAP project file. Personally, I start with all the links from Burp’s sitemap and wayback machine. I download all these files to then feed them to...

Copyright-based recon

Jason Haddix is very active on Twitter recently. Usually, I’m far from recommending Twitter to someone as a good learning source. It’s possible, no question about that, but it’s really hard to filter tips from other Tweets (and this includes my profile!). I’m mostly...

Finding companies’ AWS attack surface

Recon.cloud is a website that gathers information about AWS assets of many companies. They advertise having discovered over 330,000 of them. It might be a good way to find hidden subdomains that may be overlooked by other tools.

Creating wordlists

I'm not a recon-heavy type of hacker. To be honest, understanding and deep diving are much more interesting to me. However, I also want to know something about enumeration. So I took a look at "Creating Wordlists for Hacking, Pentesting & Bug Bounty Hunting Using...

Extracting words specific to a target

TomNomNom is an absolute genius when it comes to working with bash. When there's a task that takes too long to complete, he just writes his own script to do the work for him. In the last issue we've talked about what wordlists are, today let's talk about actually...