• We just launched and are currently in beta. Join us as we build and grow the community.

Arjun – Hidden HTTP Parameter Discovery Suite

damieral019

Cybersecurity Architect
D
D Rep
0
0
0
Rep
0
D Vouches
0
0
0
Vouches
0
Posts
171
Likes
176
Bits
0
2 MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1 400 XP
Red-Computer-Photo-Technology-YouTube-Thumbnail.png


Hey Folks, in this tutorial we are going to talk about another bug bounty tool called “Arjun“. The Arjun tool is specifically designed to find query parameters for URL endpoints. It finds valid HTTP parameters with a huge default dictionary of 10,985 parameter names. The best part of this tool is that it takes less than 10 seconds to go through this huge list while making just 20-30 requests to the target.

Let’s take a look 😛 !!

Configure Dependencies

Now this tool comes pre-installed but only in the latest release of kali linux, so we will try to install it by ourselves. The tool is coded in python language which is why we need to install python compiler to operate this tool.

apt install python python31apt install python python3

1.png


Move 😛 !! Once the necessary dependencies are established we proceed to the installation of this tool. We first need to download the entire github project using the git command. After that we go to the directory and execute the python command to configure this tool.

git clone https://github.com/s0md3v/Arjun.git
cd Arjun
ls -l
python3 setup.py install1234git clone
https://github.com/s0md3v/Arjun.gitcd Arjunls-lpython3 setup.py install

2.png


COOL 😛 !! This tool has been installed in the main library of kali linux and now we can access it from anywhere.

arjun -h1arjun-h

3.png


Let us show a demo of this tool. As you can see in the image below, there is no parameter available to give input in URL. Let’s try to explore valid parameter.

Loading…

testphp.vulnweb.com

Loading…

testphp.vulnweb.com

4.png


All you have to do is name the target URL and wait until the scan is complete. After the scan is complete it will show all valid parameters. Let’s take it one of those valid parameters.

arjun -u http://testphp.vulnweb.com/listproducts.php1arjun-u

Loading…

testphp.vulnweb.com

5.png


Valid 😛 !! The parameter we found is valid. As you can see when we enter a number along with adding parameters then get the results on the web application.

6.png


Good 😛 !! As a proof you can see that when we test other parameters they also work fine.

7.png

Save (JSON)

We can present the entire result in JSON file format using the following command.

arjun -u http://testphp.vulnweb.com/listproducts.php -o new.json1arjun-u
http://testphp.vulnweb.com/listproducts.php -o new.json

8.png


Done 😛 !! It looks good 🙂 !!

9.png


The main features have been presented to you and you can try the rest one by one yourself.

10.png
About the AuthorShubham Goyal Certified Ethical Hacker, information security analyst, penetration tester and researcher. Can be Contact on Linkedin.
 
You must log in or register to reply here.

440,010

316,559

316,568

S sanlaxi
Top