HTDark | Underground Hacking Forum and Cybersecurity Community
  • Earn real money by being active: Hello Guest, earn real money by simply being active on the forum — post quality content, get reactions, and help the community. Once you reach the minimum credit amount, you’ll be able to withdraw your balance directly. Learn how it works.

Tools Arjun - HTTP Parameter Discovery Suite

dEEpEst

dEEpEst

☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
Joined
Mar 29, 2018
Messages
13,861
Solutions
4
Reputation
27
Reaction score
45,549
Points
1,813
Credits
55,350
‎7 Years of Service‎
 
56%

image.png

What's Arjun?​

Arjun can find query parameters for URL endpoints. If you don't get what that means, it's okay, read along.

Web applications use parameters (or queries) to accept user input, take the following example into consideration

httpx://api.example.com/v1/userinfo?id=751634589
Click to expand...

This URL seems to load user information for a specific user id, but what if there exists a parameter named admin which when set to True makes the endpoint provide more information about the user?
This is what Arjun does, it finds valid HTTP parameters with a huge default dictionary of 25,890 parameter names.

The best part? It takes less than 10 seconds to go through this huge list while making just 50-60 requests to the target.


How Arjun works?​

Step #1​

Two HTTP requests with different query parameters are made to the URL and the response length, number of reflections, response code and other such factors are stored for comparison in later steps.
If any HTML form is found in the response, Arjun extracts field names from it and adds it to parameter name list for further checking.

Step #2​

A huge list of 25,980 parameters name list is loaded and divided into 25 different parts. All the parameter names of a part are sent in a single request with randomly generated values and hence a total of 25 requests are made.
Responses of these requests are compared with the previous data and the parts which didn't cause any change in response are rejected.

Step #3​

Every part which caused deviation in response is divided in two parts, and requests are made with each of them.
The part which doesn't cause any change is again rejected and part which caused change is further divided into two parts. This process is continued until there's just one or no parameters are left in each part. Empty parts are obviously rejected and the single parameter names are marked as valid.

Note: Reflections are tracked separately which means if value of a parameter is found to be reflected, Arjun picks it up and flags it as potentially valid right away.

Why Arjun?​

  • Supports GET/POST/POST-JSON/POST-XML requests
  • Automatically handles rate limits and timeouts
  • Export results to: BurpSuite, text or JSON file
  • Import targets from: BurpSuite, text file or a raw request file
  • Can passively extract parameters from JS or 3 external sources

Installing Arjun​

 
You must log in or register to reply here.
Back
Top