Param Discovery
Discover hidden GET/POST parameters using Arjun, ParamSpider, ffuf, and gf for comprehensive recon.
6 Categories30+ CommandsCopy Ready
Phase 2
ParamSpider - Passive Parameter Extraction from Archives
1#1 Clone ParamSpider repository
git clone https://github.com/devanshbatham/ParamSpider.git2#2 Install dependencies
cd ParamSpider && pip install -r requirements.txt3#3 Basic crawl for URLs with parameters
paramspider -d site.com4#4 Save output with FUZZ placeholder
paramspider -d site.com -p "FUZZ=value"5#5 Filter results by vulnerability type
paramspider -d site.com | grep xss > xss.txtPhase 3
ffuf - Parameter Fuzzing
1#1 Fuzz GET parameter names
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u "https://site.com/endpoint?FUZZ=test"2#2 Fuzz with colored output, filter 200
ffuf -w paramnames.txt -u "https://site.com/api?FUZZ=value" -mc 200 -c3#3 Fuzz POST parameter values
ffuf -w values.txt -u "https://site.com/endpoint?param=FUZZ" -X POST -d "param=FUZZ"4#4 POST with custom header and body parameter
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u "https://site.com/endpoint" -H "Content-Type: application/x-www-form-urlencoded" -X POST -d "FUZZ=value"Phase 4
x8 - Very Fast Alternative to ffuf
1#1 Install x8 via Go
go install github.com/tomnomnom/x8@latest2#2 Basic parameter fuzzing with x8
x8 -u "https://site.com/endpoint?FUZZ=test" -w paramnames.txt3#3 Filter specific status codes
x8 -u "https://site.com/api?param=FUZZ" -w values.txt --filter-status 200,4034#4 High-speed fuzzing with 50 threads
x8 -u "https://site.com/endpoint" -w params.txt -t 200 --threads 50Phase 5
gf - Filter URLs by Vulnerability Type
1#1 Install gf via Go
go install github.com/tomnomnom/gf@latest2#2 Filter URLs that may be vulnerable to XSS
cat all_urls.txt | gf xss > xss.txt3#3 Filter SSRF-vulnerable URLs
cat all_urls.txt | gf ssrf > ssrf.txt4#4 Filter Open Redirect candidates
cat all_urls.txt | gf redirect > redirect.txt5#5 Filter SQL injection candidates
cat all_urls.txt | gf sql > sql.txtPhase 6
Recommended Full Workflow
1paramspider -d target.com -o all_params.txt
# Step 1: Run ParamSpider to collect URLs with parameters2cat all_params.txt | grep -oE '[?&][^=]+=' | sort -u > param_names.txt
# Step 2: Extract parameter names and values3arjun -u "https://target.com/endpoint" -t 100
# Step 3: Run Arjun for hidden parameters4ffuf -w param_names.txt -u "https://target.com/endpoint?FUZZ=test"
# Step 4: Fuzz with ffuf for more parameters5cat results.txt | gf xss,ssrf,redirect,sql
# Step 5: Filter results with gf by vulnerabilityPhase 7
Tools & References
1Official Arjun repository - Best parameter discovery tool
https://github.com/s0md3v/Arjun2ParamSpider - Passive parameter extraction from Wayback Machine
https://github.com/devanshbatham/ParamSpider3x8 - Extremely fast parameter fuzzer (Go)
https://github.com/tomnomnom/x84gf - Filter URLs by vulnerability type (XSS, SSRF, etc.)
https://github.com/tomnomnom/gf5CoffinXP Payloads - Collection of ready-to-use payloads
https://github.com/coffinxp/payloadsTools
Tools & Resources
Arjun - Parameter Discovery
Best tool for discovering hidden parameters with brute-force
ParamSpider
Passive parameter extraction from Wayback Machine and Common Crawl
x8 - Fast Fuzzer
Very fast alternative to ffuf for parameter fuzzing
gf - URL Filter
Filter URLs by vulnerability type (XSS, SSRF, Redirect, SQL)
Seclists - Parameter Names
Wordlists for parameter name discovery