Our first step in any active recon could very well just be to attempt a scan, but it's a good idea before taking on any job or task to simply browse to the site's main page first. Using browser plugins such as Wappalyzer (https://wappalyzer.com), we can easily see an initial footprint of the website and discover the platform or framework a web application is built on (as discussed in Chapter 1, Common Web Applications and Architectures). We'll start our detailed Arachni best practices using the Damn Vulnerable Web Application (DVWA), so let's see what the browser and Wappalyzer can tell us before we dive into a scan!
As seen in following screenshot, DVWA is apparently running on a Linux operating system, employs Apache as the web server, MySQL as the database, and a mix of scripting languages are employed (Python, Perl, Ruby...