Wonder what's modified in this Arjun version?
Simple, nowdays many platforms uses Javascript for their frontends, and usually they stores those interesting parameters in Javascript Arrays.
This Arjun version grabs variable names from strings like {"name":"value"}. Lately I got MANY injections from GET/POST/Cookies scraping those, and later escaping with </script>. This happened me in many programs including big ones like PayPal, Yahoo, etc and this little trick helped me a lot. When you are fuzzing a no response page go dictionary fuzzing, but if its a responding website this heuristic technique usually is faster and better.
Web applications use parameters (or queries) to accept user input, take the following example into consideration
http://api.example.com/v1/userinfo?id=751634589
This URL seems to load user information for a specific user id, but what if there exists a parameter named admin
which when set to True
makes the endpoint provide more information about the user?
This is what Arjun does, it finds valid HTTP parameters with a huge default dictionary of 25,980 parameter names.
The best part? It takes less than 30 seconds to go through this huge list while making just 50-60 requests to the target.
Want to know how Arjun does that? Here's how.
You can encourage me to contribute more to the open source with donations.
- Paypal - https://paypal.me/s0md3v
- Credit/Debit Card - https://www.buymeacoffee.com/s0md3v
Do you want to sponsor Arjun and get mentioned here? Email me s0md3v[at]gmail[dot]com
- Multi-threading
- Thorough detection
- Automatic rate limit handling
- A typical scan takes 30 seconds
GET/POST/JSON
methods supported- Huge list of 25,980 parameter names
Note: Arjun doesn't work with python < 3.4
A detailed usage guide is available on Usage section of the Wiki.\
An index of options is given below:
- Scanning a single URL
- Scanning multiple URLs
- Choosing number of threads
- Handling rate limits
- Delay between requests
- Including presistent data
- Saving output to a file
- Adding custom HTTP headers
The parameter names are taken from @SecLists.