Arjun
API parameter discovery tool with smart brute-forcing
Recon & OSINT10 commands
#api#parameter#discovery#brute-force#recon
Installation
1Install via pip
2Or clone from GitHub
3Verify installation
# Using pip
pip install arjun
# Or from GitHub
git clone https://github.com/s0md3v/Arjun
cd Arjun
pip install -r requirements.txt
# Verify
python arjun.py -hBasic Usage
Discover hidden API parameters using intelligent brute-forcing
# Basic GET parameter discovery
python arjun.py -u https://site.com/endpoint.php
# POST parameter discovery with JSON
python arjun.py -u https://site.com/api -m POST -T "application/json"
# Save results to JSON
python arjun.py -u https://site.com/api -o results.json
# With custom threads
python arjun.py -u https://site.com/api -t 120Command Reference
10 commands
1Target URL
-u2Output file path
-o3HTTP method (GET/POST)
-m4Content-Type header
-T5Number of threads
-t6Raw POST data
-d7Input from file
-i8Add persistent parameters
-p9Quiet mode
-q10Save in all formats
-oAWhen to Use
1
API parameter discovery2
Pre-exploitation reconnaissance3
Finding hidden or undocumented parameters4
REST API security testing5
Bug bounty hunting on APIsNotes & Tips
1
Does not need parameter wordlists — discovers params automatically2
Uses API-specific payloads, not generic brute-force3
Supports JSON, form-data, and urlencoded content types4
Best for REST APIs rather than HTML forms5
Can be combined with ffuf for better coverage6
Requires Python 3.6+Common Errors & Solutions
ConnectionError / Connection Refused
Ensure the server is running and URL is correct
403 Forbidden
Add custom headers or use cookies for authentication
ModuleNotFoundError
Install dependencies: pip install -r requirements.txt