Mapping The Application

the first steep in process of attacking the application is gathering and some key information about it to gain a better understanding what are you up against. the mapping exercise begins by enumerating the application content and functionality to understand what the web application does and how it behaves. much of this functionality is easy to identify, but some of it maybe hidden, requiring a degree of guesswork and lucky discover.

• Enumerating Content and Functionality 

In a typical web application, the majority of content and functionality can be identified via manual browsing.

as shown below :

  

we can also identified some functionality via manual browsing as shown below

  however to perform a rigorous inspection of the enumerate content, and to obtain comprehensive record of everything of identified, you must employ more advance techniques then simple browsing. but you can also identified the content of  application  via robots.txt like picture shown below :

•  Web Spidering

various tools can perform automated spidering of website. there tools work by requesting with web page, parsing it for link to another content, requesting these links and continuing recursively until no new content is discovered.

burp suite is one of several tools that have been provided. find how to use burp spider with yourself from here

http://portswigger.net/burp/help/spider.html

lets look picture show below as example how burp spider work :

•  Brute-Force Techniques

burp intruder can be use to perform brute-force technique to find content and functionality withing website but I chose dirbuster from OWASP project to do this process. simple using.!!

look the picture below how dirbuster work :     

 thanks..!!!!