GitHub - s0md3v/Arjun: HTTP parameter discovery suite.
source link: https://github.com/s0md3v/Arjun
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
Arjun
HTTP Parameter Discovery Suite
Introduction
Web applications use parameters (or queries) to accept user input, take the following example into consideration
http://api.example.com/v1/userinfo?id=751634589
This URL seems to load user information for a specific user id, but what if there exists a parameter named admin which when set to True makes the endpoint provide more information about the user?
This is what Arjun does, it finds valid HTTP parameters with a huge default dictionary of 25,980 parameter names.
The best part? It takes less than 30 seconds to go through this huge list while making just 30-35 requests to the target.
Want to know how Arjun does that? Here's how.
Features
- Multi-threading
- Thorough detection
GET/POST/JSONmethods supported- A typical scan takes 30 seconds
- Regex powered heuristic scanning
- Huge list of 25,980 parameter names
- Makes just 30-35 requests to the target
Note: Arjun doesn't work with python < 3.4
How to use Arjun?
A detailed usage guide is available on Usage section of the Wiki.
An index of options is given below:
- Scanning a single URL
- Scanning multiple URLs
- Choosing number of threads
- Delay between requests
- Including presistent data
- Saving output to a file
- Adding custom HTTP headers
Credits
The parameter names are taken from @SecLists.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK