Arjun Tool to Identifies hidden GET and POST Parameters

Image

Web applications use parameters (or queries) to accept user input, take the following example into consideration

http://api.example.com/v1/userinfo?id=751634589

  • This URL seems to load user information for a specific user id, but what if there exists a parameter named admin which when set to True makes the endpoint provide more information about the user?

  • This is what Arjun does, it finds valid HTTP parameters with a huge default dictionary of 25,980 parameter names.

  • The best part? It takes less than 30 seconds to go through this huge list while making just 50-60 requests to the target.

Demo

Lock image

 

Scanning a single URL

To find GET parameters, you can simply do:

python3 arjun.py -u https://api.example.com/endpoint --get

Similarly, use --post for POST and --json to look for JSON parameters.

Scanning multiple URLs

A list of URLs stored in a file can be test by using the --urls option as follows

python3 arjun.py --urls targets.txt --get

Multi-threading

Arjun uses 2 threads by default but you can tune its performance according to your network connection and target allowance.

python3 arjun.py -u https://api.example.com/endpoint --get -t 22

Delay between requests

You can delay the request by using the -d option as follows:

python3 arjun.py -u https://api.example.com/endpoint --get -d 2

Handling rate limits

--stable switch sets the number of threads to 1 and introduces a random delay of 6 to 12 seconds between requests.

python3 arjun.py -u https://api.example.com/endpoint --get --stable

Including persistent data

Let's say you have an API key that you need to send with every request, to tell Arjun to do that you can use the --include option as follows:

python3 arjun.py -u https://api.example.com/endpoint --get --include 'api_key=xxxxx'

OR

python3 arjun.py -u https://api.example.com/endpoint --get --include '{"api_key":"xxxxx"}'

To include multiple parameters, use & to seperate them or pass them as a valid json object.

Saving output to a file

You can save the result in a JSON format by using the -o as follows:

python3 arjun.py -u https://api.example.com/endpoint --get -o result.json