قالب وردپرس درنا توس
Home / Tips and Tricks / How to discover hidden HTTP parameters to find weaknesses in web apps «Null Byte :: WonderHowTo

How to discover hidden HTTP parameters to find weaknesses in web apps «Null Byte :: WonderHowTo



Hacking web applications can sometimes be challenging due to the sheer amount of moving parts they possess. The core of these apps are HTTP requests and parameters, but these things are often hidden from the user for security reasons, convenience or both. However, a tool called Arjun can be used to discover hidden HTTP parameters in web apps.

HTTP parameters, also known as query strings, are part of a URL that takes user input and forwards it to the web app. A typical example would look something like this:

  http://example.com/name?id=1 

When the server receives the request, it processes the query and returns a name with the ID of 1

. Sometimes as in web forms, multiple fields are entered as the query string. Usually it looks something like this:

  http://example.com/form?field1=v1&field2=v2 

In some cases, some of these parameters may not be visible. For example, if a hidden parameter of admin is set to True there may be a different functionality than that of a regular user.

Arjun is a command line tool that finds hidden HTTP parameters using a parameter name dictionary. It features multi-threading, speed limit processing and allows custom headers to be added to requests. It also supports GET, POST and JSON methods, making it a valuable resource for researching web applications.

Download and Setup

We will use Metasploitable 2 as target and Kali Linux as our local machine, but you can use anything you like if you follow it.

The first thing we need to do is download Arjun from GitHub. We can easily clone a copy of the repository with the git clone command:

  ~ # git clone https://github.com/s0md3v/Arjun

Cloning in & # 39; Arjun & # 39; ...
remote: List objects: 226, done.
external: Total 226 (delta 0), reused 0 (delta 0), reused package 226
Receiving objects: 100% (226/226), 159.03 KiB | 1024.00 KiB / s, ready.
Solve deltas: 100% (104/104), done. 

Now just go to the new folder with cd :

  ~ # cd Arjun / 

And we can display the contents with the command ls


Source link