Day 0: Recon
Of course, any good project starts with enumeration so you have to make sure well equipped for the task at and if your tool of choice burp suite or OWASP zap, you will find you have to set up very similar things to get started. Burp suite starts with setting up the scope section, ZAP also does the same but names it “contexts”. Make sure you configure this correctly or you might run out of scope without intending to do so which can have legal repercussions. Sometimes the programs determine the scope themselves while other times it might be governed by law for example. Whatever it is, in burp suite make sure to enable the advanced scope control as this will allow you to use parts of the URL instead of always having to use the first part of a URL.
This can be done the same with advanced scope control:
Please note you can also load a list of URLs into burp suite or a list of regex in ZAP. For the sake of clarity, I will be making a separate ZAP article later on. You can potentially also paste a list from the clipboard.
Make sure to also fill in domains you know that are out of scope in the appropriate section. It will save you a lot of headaches later on.
Day 1: Clicking through the application
Now it’s our mission to fill up the site map and gather as many endpoints as possible. To make our task a bit easier on ourselves, we can enable a few options. These will allow us to more easily recognize hidden fields and automatically work around those pesky JS checks such as a disabled field.
Go to proxy > options and scroll down until you see the option to show hidden form fields, prominently highlight them, enable the disabled fields, remove the field length limits