Param Discovery

Discover hidden GET/POST parameters using Arjun, ParamSpider, ffuf, and gf for comprehensive recon.

6 Categories30+ CommandsCopy Ready

Phase 1

Arjun - Best Tool for Discovering Hidden Parameters

1#1 Install Arjun via pip

pip install arjun

2#2 Basic scan for GET parameters

arjun -u "https://site.com/endpoint.php"

3#3 With custom thread count and output file

arjun -u "https://site.com/api/user" -t 100 -o output.txt

4#4 POST method parameter discovery

arjun -u "https://site.com/login" -m POST

5#5 JSON endpoint parameter discovery

arjun -u "https://site.com/api" --include '{"test":"value"}' -m JSON

Phase 2

ParamSpider - Passive Parameter Extraction from Archives

1#1 Clone ParamSpider repository

git clone https://github.com/devanshbatham/ParamSpider.git

2#2 Install dependencies

cd ParamSpider && pip install -r requirements.txt

3#3 Basic crawl for URLs with parameters

paramspider -d site.com

4#4 Save output with FUZZ placeholder

paramspider -d site.com -p "FUZZ=value"

5#5 Filter results by vulnerability type

paramspider -d site.com | grep xss > xss.txt

Phase 3

ffuf - Parameter Fuzzing

1#1 Fuzz GET parameter names

ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u "https://site.com/endpoint?FUZZ=test"

2#2 Fuzz with colored output, filter 200

ffuf -w paramnames.txt -u "https://site.com/api?FUZZ=value" -mc 200 -c

3#3 Fuzz POST parameter values

ffuf -w values.txt -u "https://site.com/endpoint?param=FUZZ" -X POST -d "param=FUZZ"

4#4 POST with custom header and body parameter

ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u "https://site.com/endpoint" -H "Content-Type: application/x-www-form-urlencoded" -X POST -d "FUZZ=value"

Phase 4

x8 - Very Fast Alternative to ffuf

1#1 Install x8 via Cargo (Rust)

cargo install x8

2#2 Basic parameter fuzzing with x8

x8 -u "https://site.com/endpoint?FUZZ=test" -w paramnames.txt

3#3 Filter specific status codes

x8 -u "https://site.com/api?param=FUZZ" -w values.txt --filter-status 200,403

4#4 High-speed fuzzing with 50 threads

x8 -u "https://site.com/endpoint" -w params.txt -t 200 --threads 50

Phase 5

gf - Filter URLs by Vulnerability Type

1#1 Install gf via Go

go install github.com/tomnomnom/gf@latest

2#2 Filter URLs that may be vulnerable to XSS

cat all_urls.txt | gf xss > xss.txt

3#3 Filter SSRF-vulnerable URLs

cat all_urls.txt | gf ssrf > ssrf.txt

4#4 Filter Open Redirect candidates

cat all_urls.txt | gf redirect > redirect.txt

5#5 Filter SQL injection candidates

cat all_urls.txt | gf sql > sql.txt

Phase 6

Recommended Full Workflow

1paramspider -d target.com -o all_params.txt

# Step 1: Run ParamSpider to collect URLs with parameters

2cat all_params.txt | grep -oE '[?&][^=]+=' | sort -u > param_names.txt

# Step 2: Extract parameter names and values

3arjun -u "https://target.com/endpoint" -t 100

# Step 3: Run Arjun for hidden parameters

4ffuf -w param_names.txt -u "https://target.com/endpoint?FUZZ=test"

# Step 4: Fuzz with ffuf for more parameters

5cat results.txt | gf xss,ssrf,redirect,sql

# Step 5: Filter results with gf by vulnerability

Phase 7

Tools & References

1Official Arjun repository - Best parameter discovery tool

https://github.com/s0md3v/Arjun

2ParamSpider - Passive parameter extraction from Wayback Machine

https://github.com/devanshbatham/ParamSpider

3x8 - Extremely fast parameter fuzzer (Rust)

https://github.com/Sh1Yo/x8

4gf - Filter URLs by vulnerability type (XSS, SSRF, etc.)

https://github.com/tomnomnom/gf

5CoffinXP Payloads - Collection of ready-to-use payloads

https://github.com/coffinxp/payloads

Tools

Tools & Resources

Arjun - Parameter Discovery

Best tool for discovering hidden parameters with brute-force

ParamSpider

Passive parameter extraction from Wayback Machine and Common Crawl

x8 - Fast Fuzzer

Very fast alternative to ffuf for parameter fuzzing

gf - URL Filter

Filter URLs by vulnerability type (XSS, SSRF, Redirect, SQL)

Seclists - Parameter Names

Wordlists for parameter name discovery