Of course any good project starts with enumeration so you have to make sure well equipped for the task at and if your tool of choice burp suite or OWASP zap, you will find you have to set up very similar things to get started. Burp suite starts with setting up the scope section, ZAP also does the same but names it “contexts”. Make sure you configure this correctly or you might run out of scope without intending to do so which can have legal repercussions. Sometimes the programs determine the scope themselves while other times it might be governed by law for example. Whatever it is, in burp suite make sure to enable the advanced scope control as this will allow you to use parts of the URL instead of always having to use the first part of a URL.
This can be done the same with advanced scope control:
Please note you can also load a list of URLs into burp suite or a list of regex in ZAP. For the sake of clarity, I will be making a separate ZAP article later on. You can potentially also paste a list from the clipboard.
Make sure to also fill in domains you know that are out of scope in the appropriate section. It will save you a lot of headaches later on.
Now it’s our mission to fill up the site map and gather as many endpoints as possible. To make our task a bit easier on ourselves, we can enable a few options. These will allow us to more easily recognize hidden fields and automatically work around those pesky JS checks such as a disabled field.
Go to proxy > options and scroll down until you see the option to show hidden form fields, prominently highlight them, enable the disabled fields, remove the field length limits
All of these controls are usually ignored by hackers anyway so we will do the same. I don’t like using the other options since that is kinda messing too much with the response. For example, the secure flag is an actual server setting.
Now you can start filling up that site map by clicking around and making sure you touch on every functionality with the basic CRUD actions. (Create Read Update Delete).
Of course, the vanilla burp suite experience is really nice but the beauty partially comes from its extensibility. We can write our own extension from scratch but that would usually be counterproductive as really extensions exist covering pretty much any requirement. I have a few basic installed before I dive into hacking the functionality.