Introducing rescope - A Scope Parser for Burp Suite & OWASP ZAP

Published:

rescope is a tool I wrote that lets you quickly define scopes in Burp/ZAP - intended for bugbounty hunters and pentesters alike who deal with large, complicated scopes.

Update: See blog post

Rather than repeating what is already detailed in the README I’ll instead focus this post on why I felt the need for writing this tool to begin with. Keep in mind that these are just my personal views based on experience working with both programs.

Adding scopes are done in mainly two ways:

  1. With regular expressions. With Burp you also have the option to add them directly as is, which is great when you just want to add something simple.

  2. From the sitemap / proxy history, granted that traffic towards the target has passed through the proxy. Otherwise there is no way to select anything as nothing has been indexed. This is by large the most effective thus preferred approach.

For the most part, either way will do just fine. That is, when you have a scope that is simple and small-ish in size. On the contrary however, when the scope has intricacies and is larger is size, that is when you start to question the effectiveness of approach. Not that adding them is very difficult, but depending on the scope this process can feel repetitive and frustrating to do, which usually ends up taking more time than most like to admit. Besides, there’s always a risk of messing things up, leaving you with an incorrectly defined scope which may snowball into this huge time waster in the future chasing boogie monsters. Add some bad luck to that and the boogie man may even come knocking on your door.

If you’ve never had to deal with scopes then take a look at some of the bigger bugbounty programs over at Bugcrowd and HackerOne. Take Spotify for instance, which have explicitly listed 150 domains aside from those in the main scope. But how? It’s not like you can import a list of domains to either program. So what about those CIDR notations. Nope, it’s not possible to add CIDR in either Burp or Zap. For that you must first convert the notations to IP ranges, which can be added without any fuzz. Though, this is not something you’ll encounter very often so it’s not a big deal. What you will encounter often, however, is wildcards and other notations that target a specific range or certain components of a URI. For those we are left with option 1 as pre-indexing is not an option, meaning that regex is the only viable option left. This step must be repeated for every item in the list, which is just annoying when you have a large scope.

There’s more to be said here, like the impossibility of adding targets directly from the sitemap/history to the “out-of-scope” list so that they get excluded. For some reason I cannot exploit, those targets must first be added to the scope, then removed from the scope in order for them to end “Exclude from scope” list which is the case for both programs.

With this in mind and some interest to learn a new language, I came up with rescope (written in go) which aims to tackle all of these problems

I hope you found this tool useful, and if you did then feel free to drop a like or follow me on Twitter for more stuff like this.