Web Enumeration Methodology

A Beginner’s friendly approach for OSCP ,CTFs and Web App Pen-testing.

10 min readApr 4, 2021


Photo by John Schnobrich on Unsplash

This article will describe the basics of Web Enumerations and is aimed at Beginners. It starts with basics and then gradually build up to more advanced techniques.

Table of Contents

-Enumerate and Make Notes
-Find out the Ports
-View Page Source
-Well Known Files
-Virtual Hosts
-Web Directories Busting
-Web Technologies used
-Brute Force Login Pages
-SQL Injection in Login Pages
-Local File Inclusion(LFI)
-Cookies Manipulation and De-serialization Vulnerabilities


Pen Testing is all about a structured approach towards a target. You can call it having a Methodology without which it is just a guessing game and trying things randomly, doing that might give you success initially but in the long run you must have an approach.

There are many such Methodology/Checklists out there for Web Enumeration. This is my attempt of creating a Beginner’s friendly one. This is inspired by doing many rooms on this amazing platform called TryHackMe and doing reading around in general about Web Enumeration.

My plan is to keep adding to this list about the new methods which I found and keep refining the approach toward Web Enumeration. Also this might come in handy if you are preparing for OSCP or doing CTFs. So lets start:

Enumerate and Make Notes

Before we dive in to technical stuff, this step is very important. Enumerate means to name or list things one by one. We should take notes at all the steps and if after doing all the steps we did not find anything, go check again all the notes if we missed something. In the end if nothing works take outside help and add the missed step to your Methodology. So you see you are already improving and this is an Iterative Process.




Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204