Information Gathering is the initial phase of a security assessment, where testers collect as much data as possible about a target application or system.
This step lays the groundwork for identifying potential attack vectors, system architecture, technologies in use, and exposed services.
Effective information gathering allows for a focused, efficient, and deeper security evaluation in later phases of testing.
Tests Performed in the Information Gathering Phase:
Testing for Common Libraries and Fingerprinting
This test identifies the software libraries, frameworks, and underlying technologies used by an application.
By fingerprinting components, we can detect outdated or vulnerable versions and assess potential risks associated with known vulnerabilities in third-party software.
Enumeration of Application Known Controllers
We map out the application’s exposed endpoints and controllers to understand its structure and functionality.
This enumeration helps pinpoint accessible routes, restricted areas, and potential targets for further security analysis and exploitation.
Information Disclosure by Apple System Log (ASL)
This test checks whether the Apple System Log (ASL) on macOS or iOS-based applications inadvertently exposes sensitive application data, debugging messages, or system information. Leakage through ASL can provide attackers with valuable internal details about an application’s behavior or environment