x8 v4.3 releases: Hidden parameters discovery suite written in Rust
x8: Hidden parameters discovery suite written in Rust
The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss. Greater accuracy is achieved thanks to the line-by-line comparison of pages, comparison of response code, and reflections.
Features
- Fast.
- Has flexible request configuration thanks to the concept of templates and injection points.
- Scalability. The tool can check up to thousands of urls per run.
- More accurate than analogs, especially in diffictult cases.
- Can discover parameters with not random values, like admin=true.
- Highly configurable.
- Almost raw requests were achieved due to the external lib modification.
Changelog v4.3
- Improved template guessing;
- Fixed file saving;
- Default behavior for PATCH and DELETE methods changed. By default parameters are send via body now;
- Replaced “not reflected one” with “changes reflections” text message;
- Small other fixes;
Use
Example
Send parameters via query
x8 -u “https://example.com/“ -w <wordlist>
With some default parameters:
x8 -u “https://example.com/?something=1“ -w <wordlist>
/?something=1 equals to /?something=1&%s
Send parameters via body
x8 -u “https://example.com/“ -X POST –as-body -w <wordlist>
Or with a custom body:
x8 -u “https://example.com/“ -X POST –as-body -b ‘{“x”:{%s}}‘ -w <wordlist>
%s will be replaced with different parameters like {“x”:{“a”:”b3a1a”, “b”:”ce03a”, …}}
Custom template
x8 -u “https://example.com/“ –param-template “user[%k]=%v&“ -w <wordlist>
Now every request would look like /?user[a]=hg2s4&user[b]=a34fa&…
It is even possible to imitate not included body types, for example, application/xml:
x8 -u “https://example.com/“ –as-body –param-template “<%k>%v</%k>“ -H “Content-Type: application/xml“ -b “<?xml version=“1.0“ ?>%s“ -w <wordlist>
Variables
In the next example, something will take on new values for every request:
x8 -u “https://example.com/?something={{random}}&%s“ -w <wordlist>
Percent encoding
Sometimes parameters should be encoded. It is also possible:
x8 -u “https://example.com/?path=..%2faction.php%3f%s%23“ –encode -w <wordlist>
GET /?path=..%2faction.php%3fWTDa8%3Da7UOS%26rTIDA%3DexMFp…%23 HTTP/1.1 Host: example.com
Download
Copyright (C) 2021 Sh1Yo