Say you need to do a manual pentest on a web application with a lot of client-side code, like a single page application of the AngularJS sort. It would be very helpful to understand how the app transitions through different states based on DOM events. For example, which flows lead to which results, and also the steps for those flows. What we're talking about here is basically a client-side crawl. With a simple script, you can print-out the client-side crawl that SCNR does and keep those result at hand to help you with your manual audit.
So, suppose we're preparing a manual penetration test of a web application; wouldn't it be nice to be able to know beforehand the behavior of each individual input? For example, changing an input's value may change the response we get in a certain way, or even not, which is equally valuable information. Let's say that inputs that change the behavior of the web page are called active and those that don't are called blind. Furthermore, it would be of even more interest if the value we input gets included in the HTTP response (or even written on the DOM client-side)...