web-surfacelisted

# Web Surface Enumeration > Sub-skill of `offensive-osint`. Load `osint-methodology` for pipeline and triage context. > Authorized targets only. --- ## BEHAVIORAL CONTRACT **When triggered:** Web surface enumeration, Swagger/OpenAPI/GraphQL discovery, endpoint probing, email security analysis, vendor fingerprinting, documentation leak hunting, or subdomain takeover assessment is needed. **Execute:** 1. For each alive webapp, probe the Swagger/OpenAPI paths (§1) and GraphQL paths (§2). 2. Check high-risk ports (§3) against Shodan/naabu results. 3. Audit security headers (§4) — escalate per sensitive-path rules. 4. Run always-on HTTP checks (§5) with listed match logic. 5. Probe JS guess-paths (§6) and extract endpoints via regex tiers (§7). 6. Check for internal-host leakage (§8) in JS bodies, sourcesContent, APK strings. 7. Audit email security posture (§9): parse SPF/DMARC/DKIM/BIMI/MTA-STS/TLS-RPT/DNSSEC, map severity, infer SaaS tenants from TXT records, extract DMARC vendor and MX-based IdP. 8. Fingerprint vendor products (§10) — cross-reference with CISA KEV for severity escalation. 9. Assess subdomain takeover risk (§11) using provider fingerprints. 10. Enumerate cloud buckets (§12) using permutation arsenal. 11. Check documentation/wiki leak paths (§13). 12. Query API endpoints (§14) for Wayback CDX, Postman workspace search, and Stack Exchange OSINT. 13. For each finding, assign severity per the inline tables and emit per `osint-methodology` §3 schema. **Output: