Arjun v2.2.2 releases: finding hidden GET & POST parameters
Arjun is a python script for finding hidden GET & POST parameters using regex and bruteforce.
Web applications use parameters (or queries) to accept user input, take the following example into consideration
This URL seems to load user information for a specific user id, but what if there exists a parameter named admin which when set to True makes the endpoint provide more information about the user?
This is what Arjun does, it finds valid HTTP parameters with a huge default dictionary of 25,980 parameter names.
The best part? It takes less than 30 seconds to go through this huge list while making just 50-60 requests to the target.
How Arjun works?
A request to the URL is made and the response length, plain-text length and response code are stored for comparison in later steps.
If any HTML form is found in the response, Arjun extracts field names from it and adds it to parameter name list for further checking.
A second request to the URL is made but this time, a randomly generated parameter (expected to be non-existent) is added to the request to determine the behavior of the web application towards a non-existent parameter.
A number of reflections, response length, plain-text length and response code are stored for comparison in later steps.
These characteristics are also compared against the first request characteristics to determine what changes should be ignored to keep off false positives.
A huge list of 25,980 parameters name list is loaded and divided into 25 different parts. All the parameter names of a part are sent in a single request with randomly generated values and hence a total of 25 requests are made.
Responses of these requests are compared with the previous data and the parts which didn’t cause any change in response are rejected.
Every part which caused deviation in response is divided into two parts, and requests are made with each of them.
The part which doesn’t cause any change is again rejected and the part which caused change is further divided into two parts. This process is continued until there’s just one or no parameters are left in each part. Empty parts are obviously rejected and the single parameter names are marked as valid.
Note: Reflections are tracked separately which means if the value of a parameter is found to be reflected, Arjun picks it up and flags it as potentially valid right away.
- 3 modes of detection
- Regex-powered heuristic scanning
- Huge list of 3370 parameter names
- Probing improvements
- Fix “target is misbehaving” errors
- Variable chunk size depending on HTTP method
- Improved heuristics
- Allow up to 20 “server fault” errors
git clone https://github.com/UltimateHackers/Arjun.git
To find GET parameters, you can simply do:
python3 arjun.py -u https://api.example.com/endpoint --get
Similarly, use –post to find POST parameters.
It uses 2 threads by default but you can tune its performance according to your network connection.
python3 arjun.py -u https://api.example.com/endpoint --get -t 22
Delay between requests
You can delay the request by using the -d option as follows:
python3 arjun.py -u https://api.example.com/endpoint --get -d 2
Adding HTTP Headers
Using the –headers switch will open an interactive prompt where you can paste your headers. Press Ctrl + S to save and Ctrl + X to proceed.
Copyright (C) 2018 s0md3v