Phase 0: Context Initialization¶

Overview¶

Phase 0 is the foundational phase where the BeDefended platform fingerprints the target application to understand its technology stack, security controls, authentication mechanisms, and attack surface. This phase outputs context.json which informs all subsequent testing phases.

Purpose: Build a comprehensive understanding of the target without triggering alarms or performing any intrusive testing.

What Happens¶

The context initialization process performs intelligent reconnaissance to extract:

• Technology Stack: Web framework (Django, Spring, .NET, Node.js, Rails, etc.), server software, databases, APIs
• Web Application Firewall (WAF): Detection and characterization (ModSecurity, Cloudflare, AWS WAF, Akamai, etc.)
• Authentication Methods: Session-based, JWT, OAuth2, SAML, multi-factor authentication
• Authorization Mechanisms: Role-based access control (RBAC), attribute-based (ABAC), or custom
• API Architecture: REST, GraphQL, SOAP, WebSocket, or gRPC endpoints
• Security Headers: Content-Security-Policy, X-Frame-Options, HSTS, SameSite cookies
• Attack Surface: Entry points, sensitive endpoints, file upload functionality, search parameters
• Infrastructure: Cloud provider (AWS, GCP, Azure), containerization (Docker, Kubernetes)
• Third-party Integrations: Stripe, Okta, Salesforce, Firebase, etc.

Execution Flow¶

graph LR
    A["Start Phase 0<br/>Context Init"] --> B["HTTP HEAD/GET<br/>Root URL"]
    B --> C["Fingerprint Stack<br/>Headers, HTML Meta"]
    C --> D["Identify Auth<br/>Session vs JWT vs OAuth"]
    D --> E["Scan JavaScript<br/>API patterns, tech hints"]
    E --> F["Test Security Headers<br/>CSP, HSTS, SameSite"]
    F --> G["Detect WAF<br/>Error messages, blocking"]
    G --> H["Build context.json<br/>Shared state for all phases"]
    H --> I["Continue to Phase 0.5<br/>Walkthrough"]

    style A fill:#4a148c,color:#fff
    style I fill:#4a148c,color:#fff
    style H fill:#ab47bc,color:#fff

Key Data Extracted¶

The context.json file contains structured information for use by all downstream skills:

{
  "_version": "1.0",
  "target": "https://api.example.com",
  "timestamp": "2026-03-13T10:30:00Z",

  "tech_stack": {
    "web_framework": "Spring Boot 3.0",
    "language": "Java",
    "database": "PostgreSQL",
    "server": "Tomcat 10.1",
    "cdn": "Cloudflare",
    "frontend": "React 18.2"
  },

  "auth": {
    "primary_method": "Bearer JWT",
    "secondary_method": "Session Cookie (JSESSIONID)",
    "mfa_detected": true,
    "mfa_type": "TOTP"
  },

  "waf": {
    "detected": true,
    "type": "ModSecurity",
    "version": "3.0",
    "rules": "OWASP ModSecurity Core Rule Set 3.4"
  },

  "security_headers": {
    "csp_policy": "default-src 'self'; script-src 'self' cdn.example.com",
    "hsts_max_age": 31536000,
    "x_frame_options": "DENY",
    "samesite_cookies": "Strict"
  },

  "api_endpoints_discovered": [
    "/api/v1/auth/login",
    "/api/v1/users/{id}",
    "/api/v1/products",
    "/api/v1/orders"
  ],

  "suspicious_indicators": [
    "debug=1 parameter in source",
    "X-Forwarded-* headers accepted",
    "Error messages leak app version"
  ]
}

Techniques Used¶

1. HTTP Header Analysis¶

• Make HEAD request to capture server information
• Parse Server, X-Powered-By, X-AspNet-Version headers
• Analyze Date, ETag, Via for caching layers
• Check for rate-limit headers: X-RateLimit-*, RateLimit-*

2. HTML & JavaScript Analysis¶

• Extract technology hints from HTML comments, meta tags
• Parse inline JavaScript for API endpoints and configuration
• Download JavaScript bundles and analyze imports
• Search for webpack/vite manifests revealing build system

3. Security Header Evaluation¶

• Test for presence of HSTS, CSP, X-Frame-Options
• Analyze CSP policy strictness (are unsafe-inline/unsafe-eval present?)
• Check SameSite cookie attributes
• Evaluate X-Content-Type-Options and X-XSS-Protection

4. Authentication Probing¶

• Attempt unauthenticated access to /api/v1/auth/me to determine auth requirement
• Test with invalid JWT (alg: none) to detect algorithm confusion vulnerability
• Check for session persistence: access same endpoint with and without cookies
• Probe OAuth endpoints (/.well-known/openid-configuration, /.well-known/oauth-authorization-server)

5. WAF Detection¶

• Test WAF behavior with known WAF signatures in payloads
• Analyze error messages, response times, and blocking status codes
• Attempt bypass techniques (case variation, encoding, null bytes)
• Map WAF rules based on response patterns

6. API Discovery¶

• Scan for common API paths: /api/v1/*, /api/v2/*, /rest/*, /graphql
• Test for OpenAPI/Swagger endpoints: /swagger.json, /api-docs, /openapi.json
• Check for GraphQL introspection queries
• Probe SOAP endpoints: /soap/, /?wsdl

Output Files¶

Non-Intrusive Nature¶

CRITICAL: Phase 0 performs ONLY passive reconnaissance. No exploitation, no authentication bypass attempts, no fuzzing. Every request is: - Made to the root domain only (no enumeration of unrelated subdomains) - Limited to standard HTTP methods (GET, HEAD, OPTIONS) - Using rate limits to appear as normal user traffic - Logged with timestamp in logs/context-init.log

Decision Point: Continue or Abort?¶

After Phase 0 completes, review context.json:

1. Proceed if: Target is accessible, basic tech stack identified, authentication method determined
2. Investigate further if: WAF detected → Phase 3 Scan may need modified payloads
3. Abort if: Target returns 403 for all requests (blocked), or scope cannot be confirmed from the app

Phase 0 is a prerequisite for all downstream testing. Without it, later phases make invalid assumptions about: - Token formats (they might expect JWT when the app uses sessions) - API endpoints (they might test /api/v2/ when the app uses /api/v1/) - Authentication bypass techniques (they might try OAuth when the app uses SAML)

Next Phase¶

After Phase 0 completes successfully, continue to Phase 0.5: Walkthrough to perform authenticated crawling and discover all user-accessible endpoints and functionality.