mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings
synced 2024-06-30 19:02:55 +00:00
52 lines
2.3 KiB
Markdown
52 lines
2.3 KiB
Markdown
|
# HTTP Hidden Parameters
|
|||
|
|
|
|||
|
|
> Web applications often have hidden or undocumented parameters that are not exposed in the user interface. Fuzzing can help discover these parameters, which might be vulnerable to various attacks.
|
|||
|
|
|
|||
|
|
## Summary
|
|||
|
|
|
|||
|
|
* [Tools](#tools)
|
|||
|
|
* [Exploit](#exploit)
|
|||
|
|
* [Bruteforce parameters](#bruteforce-parameters)
|
|||
|
|
* [Old parameters](#old-parameters)
|
|||
|
|
* [References](#references)
|
|||
|
|
|
|||
|
|
|
|||
|
|
## Tools
|
|||
|
|
|
|||
|
|
* [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner) - Burp extension to identify hidden, unlinked parameters.
|
|||
|
|
* [s0md3v/Arjun](https://github.com/s0md3v/Arjun) - HTTP parameter discovery suite
|
|||
|
|
* [Sh1Yo/x8](https://github.com/Sh1Yo/x8) - Hidden parameters discovery suite
|
|||
|
|
* [tomnomnom/waybackurls](https://github.com/tomnomnom/waybackurls) - Fetch all the URLs that the Wayback Machine knows about for a domain
|
|||
|
|
* [devanshbatham/ParamSpider](https://github.com/devanshbatham/ParamSpider) - Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing
|
|||
|
|
|
|||
|
|
|
|||
|
|
## Exploit
|
|||
|
|
|
|||
|
|
### Bruteforce parameters
|
|||
|
|
|
|||
|
|
* Use wordlists of common parameters and send them, look for unexpected behavior from the backend.
|
|||
|
|
```ps1
|
|||
|
|
x8 -u "https://example.com/" -w <wordlist>
|
|||
|
|
x8 -u "https://example.com/" -X POST -w <wordlist>
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
Wordlist examples:
|
|||
|
|
- [Arjun/large.txt](https://github.com/s0md3v/Arjun/blob/master/arjun/db/large.txt)
|
|||
|
|
- [Arjun/medium.txt](https://github.com/s0md3v/Arjun/blob/master/arjun/db/medium.txt)
|
|||
|
|
- [Arjun/small.txt](https://github.com/s0md3v/Arjun/blob/master/arjun/db/small.txt)
|
|||
|
|
- [samlists/sam-cc-parameters-lowercase-all.txt](https://github.com/the-xentropy/samlists/blob/main/sam-cc-parameters-lowercase-all.txt)
|
|||
|
|
- [samlists/sam-cc-parameters-mixedcase-all.txt](https://github.com/the-xentropy/samlists/blob/main/sam-cc-parameters-mixedcase-all.txt)
|
|||
|
|
|
|||
|
|
### Old parameters
|
|||
|
|
|
|||
|
|
Explore all the URL from your targets to find old parameters.
|
|||
|
|
* Browse the [Wayback Machine](http://web.archive.org/)
|
|||
|
|
* Look through the JS files to discover unused parameters
|
|||
|
|
|
|||
|
|
|
|||
|
|
## References
|
|||
|
|
|
|||
|
|
* [Hacker tools: Arjun – The parameter discovery tool - 17TH MAY 2021 - Intigriti](https://blog.intigriti.com/2021/05/17/hacker-tools-arjun-the-parameter-discovery-tool/)
|
|||
|
|
* [Parameter Discovery: A quick guide to start - 20/04/2022 - YesWeHack](https://blog.yeswehack.com/yeswerhackers/parameter-discovery-quick-guide-to-start/)
|
|||
|
|
|