Using Bash to identify web applications
As a consultant pentester who is provided a list of IP or network addresses by an external customer, you may fall into a bad habit of just testing defined IP or network addresses and not performing enough OSINT to discover all domain names. I did this myself when I was a junior pentester and have also witnessed this from people I have mentored. The reason why this is not ideal is because of how web applications behave when requesting a website using an IP address versus a domain name.
A web server hosting multiple applications, load balancer, or reverse proxy will return the default site when an IP address is in the URL or HTTP HOST header. Unbeknown to you, there may be additional websites hosted on that IP address and you absolutely will miss out on finding vulnerable applications if you don’t perform DNS enumeration and test applicable domain names. You can read more about the HTTP HOST header at https://portswigger.net/web-security...
