Arjun: HTTP parameter discovery suite

Arjun

Arjun can find query parameters for URL endpoints. If you don’t get what that means, it’s okay, read along.

Web applications use parameters (or queries) to accept user input, consider the following example

http://api.example.com/v1/userinfo?id=751634589

This URL seems to load user information for a specific user id, but what if there exists a parameter named admin which when set to True makes the endpoint provide more information about the user? This is what Arjun does, it finds valid HTTP parameters with a huge default dictionary of 25,890 parameter names.

It takes less than 10 seconds to go through this huge list while making just 50-60 requests to the target.

• Supports GET/POST/POST-JSON/POST-XML requests
• Automatically handles rate limits and timeouts
• Export results to BurpSuite, text, or JSON file
• Import targets from BurpSuite, a text file, or a raw request file
• Can passively extract parameters from JS or 3 external sources

How does Arjun work?

Two HTTP requests with different query parameters are made to the URL and the response length, number of reflections, response code, and other such factors are stored for comparison in later steps.
If any HTML form is found in the response, Arjun extracts field names from it and adds them to the parameter name list for further checking.

A huge list of 25,980 parameters name list is loaded and divided into 25 different parts. All the parameter names of a part are sent in a single request with randomly generated values and hence a total of 25 requests are made.
Responses of these requests are compared with the previous data and the parts which didn’t cause any change in response are rejected.

Every part that caused a deviation in response is divided into two parts, and requests are made with each of them.
The part which doesn’t cause any change is again rejected and the part which caused the change is further divided into two parts. This process is continued until there’s just one or no parameters left in each part. Empty parts are rejected and the single parameter names are marked as valid.

Note: Reflections are tracked separately which means if the value of a parameter is found to be reflected, Arjun picks it up and flags it as potentially valid right away.

Install & Use

Copyright (C) 2024 s0md3v