Enumeration is not really a step or phase. We continue to enumerate throughout every step of testing an application. Even during exploitation, especially when our exploits fail, we continue to enumerate. So with that, one could argue that this is the most critical skill to develop.

At the start of our engagement, we need to orient ourselves and carry out enough enumeration so that we understand the target enough to:

  1. Uncover the full attack surface

  2. Begin our attacks

  3. Overcome weak defenses

  4. Ensure we don’t miss things

The below checklist is a good starting point if you want to carry out thorough enumeration but not entirely sure where to begin. Work through them, take good notes, and you’ll be setting yourself up to work efficiently and for success.


  • What technologies are being used? E.g. server software, web application framework, JavaScript libraries, etc.
  • What functionality exists? Consider its intended use, user roles, access controls, etc.
  • What entry points exist? E.g. URLs, user inputs, etc.
  • Can we map the application? I.e. Understand the directory and file structure.
  • What code is running client-side? E.g. JavaScript, Flash, etc.
  • What is running server-side?

Other things we may consider:

  • How are sessions handled?
  • Is it worth looking more closely at the data flow? This is useful in larger and more complex applications.
This post is licensed under CC BY 4.0 by the author.