Parameters

Hidden parameters

Comparison

https://4rt.one/blog/1.html

x8

https://github.com/sh1yo/x8

# Send parameters via query
x8 -u "https://example.com/" -w <wordlist>

# With some default parameters:
x8 -u "https://example.com/?something=1" -w <wordlist>

# Send parameters via body
x8 -u "https://example.com/" -X POST --as-body -w <wordlist>

Arjun

# Sometimes hidden parameters are set on pages
# You can use tools like Arjun to find them (https://github.com/s0md3v/Arjun)
python3 arjun.py -u https://api.example.com/endpoint --get

# Multi threading
python3 arjun.py -u https://api.example.com/endpoint --get -t 22

# Delay between requests
python3 arjun.py -u https://api.example.com/endpoint --get -d 
# You can also use patator
# GET
patator http_fuzz url='url/FILE0=1' 0=parameters.txt -x ignore:fgrep='error reflected content'

# POST
patator http_fuzz url='url/' method=POST body='FILE0=1' 0=wordlist.txt -x ignore:fgrep='error reflected content'

Open Redirect

# Some examples
verification-success?redirectTo=https%3a%2f%2fgoogle%2ecom%5c%2ewww%2eupwork%2ecom%2f&flowName=client_high_potential
redirect_after_login=https%3a%2f%2f%63%61%72%64s%2etwitter%2ecom%2fcards%2f18ce54su0k1%2f6tc5h
launchauth/?webbasedpurchasing=1&transid=2614806773554997295&authurl=https%3A%2F%2Fduckduckgo.com%2Forb%2Forb%3FACTION%3DDO_START%26REF%3D000000003700003159190000100001%26MAC%3D7UYgidiXPXlSwepsEkIkt2cjtzUjBN4cskq05erf%252Bhk%253D&s=5b57c3c66fea1edb71950f1b
login?u=2&to=YXdheS5waHA/dG89aHR0cDovL2FtcC5ncy9Wb3VxJnBvc3Q9LTIwNjI5NzI0XzExNjAyMDImY2Nfa2V5P

Parameters pollution

# Unicode char can cause breaks in some applications
# Exemple with the pile of poo
https://emojipedia.org/pile-of-poo/
💩