.png)
3 years ago
240 BOOK THIS SPACE FOR AD
ARTICLE AD
Hey Guys!! What's Going on? 👋 I was thinking of Tweeting about parameter discovery in web apps lately, however, while I was composing the tweet, the thread grew to 5 tweets as I included everything wordlist, tools, and approach. Then I thought, why not just publish on Medium without worrying about tweet limits? So there you have it, enjoy !! 😉
The first thing that may spring to mind is why parameter discovery is essential, right?
Well…!! , If you’re new to web app pentesting or have been doing it for a while, identifying unlinked, unknown, or hidden parameters in the target application might lead to juicy information or vulnerabilities because they don’t get much attention and are often not properly configured.
When you see a parameter in Bug Bounties, everyone starts spamming their payload list, don’t worry if you’re doing it right because I was doing the same at the beginning, it’s not a wrong method but should be done at the end after you’ve tried everything else, and most of the time when you report it, they go dup, right? Because someone else is doing the same thing or employing the same technique.
Now I hope you understand why it is crucial to detect hidden parameters; it can help you find vulnerabilities such as XSS, IDOR, SSRF, Privilege escalation, LFI, Open Redirects, and so on. Even in some case PII Leaks 😎 Which are missed by many people.
Let’s get started with the methodology! It’s Pretty Simple “Guess Everywhere!! “, just kidding “don’t kill the server.”
When and Where to do fuzzing :
Whenever you see an empty page and you get 200 OK in response.On commonly seen endpoints, For Example: login.php?Fuzz_Here or /login?FUZZ_HereAnd Uncommon Endpoints is a must, For Example: /Thisendpointmakesnosense.php?FUZZ or /something?FuzzIn Post body as well, not many of you do this or do you?In addition, also on the functionality which already has many parameters in its request.I generally give the endpoint to the parm-miner in burp for guessing while testing it in the repeater, and if the param-miner doesn’t discover anything, I use some wordlist in intruder or another tool like x8 or Arjun. While fuzzing, something to keep in mind is to restrict the number of parameters and threads in the tools you’re using and ensure that the programme allows for fuzzing.
Overall What to Do:
Choose the most appealing target endpoint.With a wordlist, send it to Tool for Fuzzing Params.If there is anything in the output, manually test for XSS, SSRF, Privilege escalation, and so on.!!Quite simple, isn’t it? 😜 Why don’t you give it a shot on your next pentesting?
I follow the order listed below, but it may vary depending on the target. I usually find something using param-miner and Arjun Default Wordlist, but you may need to use others as well if you have the feeling that “I am Sure I am Gonna Find Something Here, This Seems Interesting.” This occurs to you when you see an endpoint, but only if you have extensive familiarity with or understanding of the web application.
Public:
Arjun all default wordlists: https://github.com/s0md3v/Arjun/tree/master/arjun/dbParam-miner “params” : https://github.com/PortSwigger/param-miner/blob/master/resources/paramsAssetnote “parameters_top_1m”: https://wordlists.assetnote.io/nullenc0de “params.txt”: https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773You can combine all of this to make the ultimate wordlist, but I’ll leave that up to you. 👍 Also, this is not an exhaustive list; there are many more on the internet; these are just a handful that I frequently use!
Custom wordlist:
A public wordlist can be used, but occasionally a custom target specific wordlist is required. Now, I generally use this when I’m working on a large scope or have a lot of targets to test in scope. Because some parameters are occasionally utilised in a specific sub-domain, but because the developer loves to copy-paste programmes, they may also function on another target.😆
Here is the onliner I use to generate the wordlist:
cat urls | unfurl format %q | cut -d "=" -f1 | sort -u > params.txtBefore you run this make sure you have collected URLs of all subdomains using gau or waybackurls and have installed unfurl
cat subdomains.txt | gau > urlsThese are the tools that work for me; if you have any others, you can use them as well. 👍
x8: https://github.com/Sh1Yo/x8Arjun: https://github.com/s0md3v/ArjunParam-miner: https://github.com/PortSwigger/param-minerParameth: https://github.com/maK-/paramethHere’s an excellent blog that compares the first three: https://4rt.one/blog/1.html
You may also use other tools such as ffuf or even the burp intruder itself, but I like to use tools that are particularly designed for the job. 😬
Parameter discovery may be highly useful, but many people neglect it or are unaware of it, and they often forget or are oblivious of when to perform it. If you want to locate those hidden bugs, this might be a wonderful step to begin. With that, I’d like to finish, and I hope you succeed on your next hunt. 😄👍
Also, don't forget to share your ideas and criticism with me.
You may find me on the following platforms:
Twitter — https://twitter.com/KathanP19
LinkedIn — https://www.linkedin.com/in/kathan-patel-01b80516a/
Youtube — youtube.com/c/KathanPatel
Until the next time, have a great day!! 😄
Bengali (Bangladesh) · 
English (United States) ·