1. Recon and analysis
1.1 Map application content
1.1.1 Find all subdomains
Use recon-ng to find all subdomains.
Use nmap scan the opened ports of every ip.
1.1.2 Enumerating Content and Functionality
(1). Web Spidering
(2). User-Directed Spidering
(3). Discovering Hidden Content
(4). Application Pages Versus Functional Paths
(5). Discovering Hidden Parameters
1.1.3 Analyzing the application
(1). Identifying Entry Points for User Input
(2). Identifying Server-Side Technologies
(3). Identifying Server-Side Functionality
(4). Mapping the Attack Surface