Step 1: Identify a relevant request
– Find a relevant request in the target website
– Highlight the request method
– Right-click and select ‘Send to Intruder’
Step 2: Configure Burp Intruder
– In Burp Intruder, go to the Positions tab
– Check if the request method is automatically marked as a payload position
– Set the attack type to ‘Sniper’
Step 3: Configure Payloads
– Go to the Payloads tab
– Under ‘Payload Sets’, select ‘Simple List’
– Add a list of HTTP methods to test
– Include an arbitrary non-existent method for server response analysis
Step 4: Start the attack
– Click ‘Start attack’
– Wait for the attack to finish
– Review the responses for any interesting behavior
– Do not solely rely on the HTTP status code for analysis
Step 5: Enumerate methods for multiple endpoints
– Go to Target Sitemap
– Right-click on a host and select ‘Copy URLs in this host’
– Send a GET request for the target host to Burp Intruder
– In Burp Intruder, go to the Positions tab and choose ‘Cluster bomb’ as the attack type
– Select the request method and request path to create payload positions
– Configure payload settings for each position
– Review the responses for any interesting behavior
– Do not solely rely on the HTTP status code for analysis