Recon-as-Code: Passive Web Application Reconnaissance in a CI/CD Pipeline

This project provides a fully automated Recon-as-Code workflow designed for passive reconnaissance of web application environments. It leverages GitHub Actions for CI/CD automation, integrates robust reconnaissance tools, and features a Flask-powered dashboard for visualized and authenticated access to reconnaissance findings.

Key Features

• Subdomain Enumeration: Utilize subfinder and assetfinder to discover subdomains efficiently.
• Live Host Probing: Conduct live probing with httpx, focusing on filtered responses (2xx/3xx).
• Archived URL Extraction: Leverage waybackurls to extract historically cached URLs.
• Technology Stack Fingerprinting: Identify web technologies in use using whatweb.
• DNS Record Enumeration: Perform detailed DNS record analysis with dnsx.
• Subdomain Takeover Detection: Assess vulnerabilities in subdomains with subzy.
• Optional GitHub Leak Detection: Incorporate detection capabilities with github-dorks.
• Dynamic HTML Reports: Generate HTML reports with pagination and dark-mode support.
• Authenticated Dashboard: Access findings through a secure Flask dashboard with session validation and a user-friendly interface.
• Matrix-style UI: Enjoy an engaging and visually appealing animated interface in dark mode.

Technologies Used

• Python (Flask): Serves as the web interface and manages session logic.
• SQLite: Secures user credential storage.
• JavaScript: Enables pagination, authentication functionalities, and animated graphics.
• Docker: Provides a reliable runtime environment for the application.
• GitHub Actions: Automates the CI/CD workflows that run reconnaissance tools.
• Self-hosted Runner: Supports volume-mounted deployment for added flexibility.

CI/CD Workflow

The CI/CD workflow outlined in web_app_recon.yml efficiently handles passive reconnaissance by:

1. Accepting user-provided domain inputs (defaulting to target.com).
2. Executing passive reconnaissance tools concurrently.
3. Storing outputs as text files in the findings/ directory.
4. Copying findings into the /output/data/ directory.
5. Generating comprehensive HTML reports using generate_report.py.
6. Making reports accessible via the authenticated Flask frontend.

Authentication & Security

• Implement secure login procedures utilizing bcrypt-hashed credentials stored within SQLite.
• Establish session management tactics, including session termination after 10 minutes of inactivity to enhance security for pages such as /dashboard and report routes.

Output Files

The following output files are generated and stored within the /output/ directory:

• live_2xx_3xx_hosts.html: Lists subdomains with active HTTP(S) services.
• dns_info.html: Presents detailed DNS record analysis.
• subzy_results.html: Displays results for identified vulnerable subdomains.
• waybackurls.html: Contains data of archived endpoints.
• whatweb.html: Provides technology fingerprinting results.

Architecture Overview

This workflow exemplifies a DevSecOps-aligned approach to passive reconnaissance by integrating CI/CD automation via GitHub Actions, various reconnaissance tools focused on DNS analysis, subdomain identification, technology stack assessment, and archived URL examination. It also incorporates report generation utilizing Python's capabilities, a session-controlled Flask dashboard, and an immersive frontend experience.

Explore the Dashboard

To better visualize the insights gathered through this pipeline, access the live dashboard here: Live Recon Dashboard.

Contribution

Contributions and suggestions are encouraged to enhance the effectiveness of the passive reconnaissance CI/CD approach tailored for modern DevSecOps pipelines.

⚠️ Note: This project is specifically focused on passive reconnaissance techniques. Active exploitation, brute-forcing, or fuzzing methodologies are deliberately excluded.