Advice on Burp Proxy Scope When Manually Reviewing a Web App
Posted in BugBounty Discussion by @0xjdow
A little while ago I was assessing a web app, and when it came time for manual enumeration (Burp on one monitor, Firefox on the other, exploring application functionality, etc..) I had limited my proxy history to in-scope items only (*.domain.com) and I wound up missing an obvious S3 bucket.
I've since added amazon to my scope when testing applications - but I wanted to see what other researchers are doing in terms of setting scope and limiting proxy history in the hopes of further improving my workflow.
Good Topic.. hope to see some reply on this soon :-)
Here is how i do if the target has a wide scope : let's assume that the scope is the following: .redacted.com redacted-s3.amazonaws.com profile-uploads-redacted.amazonaws.com .cloud.redacted.net api.redacted.xyz
- Open burp (obviously :D)
- Go to Target - Scope tab
- Click on "Use advanced scope control"
- Click add in scope
- On Host or IP range field type only the word redacted
- Click OK
- That's it you are set
You won't be missing anything now Happy hunting everyone