rescope v2.2 releases: scope-generator-tool for Burp Suite and ZAP
Rescope is a cli-tool (written in Go) that aims to make life easier when defining scopes in Burp Suite and OWASP ZAP.
How it works
- Provide any public or private scope.
- rescope takes care of the rest and spits out a Burp/ZAP compatible JSON/XML file.
- Import results from Burp/ZAP.
- Define public scope(s) directly from any supported BBaaS (Bug-Bounty-as-a-Service) platform
- Define private scopes by copy/pasting target definitions from pretty much anywhere
- Outputs results that is compatible with Burp Suite and Zaproxy for direct import
- Combine private and public scopes
- Scope include/exclude separation
- Parse multiple scopes to the same result
- Supports IP-ranges & CIDR
- Resolves conflicting includes/excludes
- Avoid resources from third party services such as github.com, gitlab.com, itunes.apple.com, etc
Supported Bug-Bounty Services (BBaaS)
- Head to Target
- Head to Scope
- Tick the Use advanced scope control checkbox
- Click the ⚙︎ icon
- Select Load options
- Choose JSON file
Choose File -> Import Context and select XML file.
Note for OWASP ZAP:
- If you set -o filename extension to anything other than .context then you’ll have to choose “All Format” in file select.
- For ZAP HUD; set context –name “HUD Context”
- New flag
--resolveConflicts(Resolve all exclude conflicts (Say ‘Y’ to all)
- New flag
--avoid3P(Avoid all third party resources (Say ‘Y’ to all))
- Parse private HackerOne scopes by setting
- Fixed package that was conflicting with errors interface introduced in golang 1.13. This led to unexpected panics when using the
-u|--urlflags to obtain scopes from bugbounty programs.
- Parsing from Bugcrowd should now work with new site layout
- Fixed out of bounds error when removing third party resources from scope
- #8 Fixed segfault when parsing scopes from intigriti due to layout change. Ref a26631c
- Fixed bug that caused misaligned lists when HackerOne was included to multi-scopes.
- rescope will no longer throw exceptions when program names are upper-cased.
- Fixed segfault when parsing scopes from openbugbounty.org caused by changes to program URL structure.
- Fixed multi-scope conflict entanglement.
- #9 Fixed bug that caused segfault when infile contained single IP’s (3423ba0).
- #10 Fixed issue that led rescope to crash when https:// were missing in
-u|--urlfor hackerone programs.
- Migrated vendoring to Go Modules
- HackerOne scopes will now include IP/CIDR in addition to URLs.
-b|--burpflag is no longer needed as results are outputted as Burp-compatible JSON – by default.
-o|--outfileis no longer required as results are saved to a default filename in the working dir.
Install & Use
Copyright (c) 2021 root4loot