HTTP Hidden Parameters
Web applications often have hidden or undocumented parameters that are not exposed in the user interface. Fuzzing can help discover these parameters, which might be vulnerable to various attacks.
Summary
Tools
- PortSwigger/param-miner - Burp extension to identify hidden, unlinked parameters.
- s0md3v/Arjun - HTTP parameter discovery suite
- Sh1Yo/x8 - Hidden parameters discovery suite
- tomnomnom/waybackurls - Fetch all the URLs that the Wayback Machine knows about for a domain
- devanshbatham/ParamSpider - Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing
Exploit
Bruteforce parameters
- Use wordlists of common parameters and send them, look for unexpected behavior from the backend.
Wordlist examples: - Arjun/large.txt - Arjun/medium.txt - Arjun/small.txt - samlists/sam-cc-parameters-lowercase-all.txt - samlists/sam-cc-parameters-mixedcase-all.txt
Old parameters
Explore all the URL from your targets to find old parameters. * Browse the Wayback Machine * Look through the JS files to discover unused parameters