PayloadsAllTheThings/Hidden Parameters

HTTP Hidden Parameters

Web applications often have hidden or undocumented parameters that are not exposed in the user interface. Fuzzing can help discover these parameters, which might be vulnerable to various attacks.

Summary

• Tools
• Methodology
  • Bruteforce Parameters
  • Old Parameters
• References

Tools

• PortSwigger/param-miner - Burp extension to identify hidden, unlinked parameters.
• s0md3v/Arjun - HTTP parameter discovery suite
• Sh1Yo/x8 - Hidden parameters discovery suite
• tomnomnom/waybackurls - Fetch all the URLs that the Wayback Machine knows about for a domain
• devanshbatham/ParamSpider - Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing

Methodology

Bruteforce Parameters

• Use wordlists of common parameters and send them, look for unexpected behavior from the backend.

  x8 -u "https://example.com/" -w <wordlist>
  x8 -u "https://example.com/" -X POST -w <wordlist>
  

Wordlist examples:

• Arjun/large.txt
• Arjun/medium.txt
• Arjun/small.txt
• samlists/sam-cc-parameters-lowercase-all.txt
• samlists/sam-cc-parameters-mixedcase-all.txt

Old Parameters

Explore all the URL from your targets to find old parameters.

• Browse the Wayback Machine
• Look through the JS files to discover unused parameters

References

• Hacker tools: Arjun – The parameter discovery tool - Intigriti - May 17, 2021
• Parameter Discovery: A quick guide to start - YesWeHack - April 20, 2022