arjun - HTTP parameter discovery suite
arjun [-h] [-u URL] [-o JSON_FILE] [-oT TEXT_FILE] [-oB [BURP_PORT]] [-d DELAY] [-t THREADS] [-w WORDLIST] [-m METHOD] [-i [IMPORT_FILE]]
[ -T TIMEOUT] [-c CHUNKS] [-q] [--headers [HEADERS]] [--passive [PASSIVE]] [--stable] [--include INCLUDE] [--disable-redirects]
Arjun can find query parameters for
URL endpoints. If you don't get what
that means, it's okay, read along. Web applications use parameters (or
queries) to accept user input, take the following example into consideration:
http://api.example.com/v1/userinfo?id=751634589
This
URL seems to load user information for a specific user id, but what
if there exists a parameter named admin which when set to True makes the
endpoint provide more information about the user? This is what Arjun does, it
finds valid HTTP parameters with a huge default dictionary of 25,890 parameter
names. The best part? It takes less than 10 seconds to go through this huge
list while making just 50-60 requests to the target. Here's how.
- -
- Supports GET/POST/POST-JSON/POST-XML requests
- -
- Automatically handles rate limits and timeouts
- -
- Export results to: BurpSuite, text or JSON file
- -
- Import targets from: BurpSuite, text file or a raw request
file
- -
- Can passively extract parameters from JS or 3 external
sources
- -h, --help
- show this help message and exit.
- -u URL
- Target URL.
- -o JSON_FILE, -oJ
JSON_FILE
- Path for json output file.
- -oT TEXT_FILE
- Path for text output file.
- -oB [BURP_PORT]
- Port for output to Burp Suite Proxy. Default port is
8080.
- -d DELAY
- Delay between requests in seconds. (default: 0).
- -t THREADS
- Number of concurrent threads. (default: 5).
- -w WORDLIST
- Wordlist file path. (default:
/usr/lib/python3/dist-packages/ arjun/db/large.txt).
- -m METHOD
- Request method to use: GET/POST/XML/JSON/HEADERS.
(default: GET).
- -i [IMPORT_FILE]
- Import target URLs from file.
- -T TIMEOUT
- HTTP request timeout in seconds. (default: 15).
- -c CHUNKS
- Chunk size. The number of parameters to be sent at
once.
- -q
- Quiet mode. No output.
- --headers [HEADERS]
- Add headers. Separate multiple headers with a new
line.
- --passive [PASSIVE]
- Collect parameter names from passive sources like wayback,
commoncrawl and otx.
- --stable
- Prefer stability over speed.
- --include INCLUDE
- Include this data in every request.
- --disable-redirects
- disable redirects.
arjun -h
arjun -u http://site.example.com/test.php
arjun -u http://site.example.com/test.php -o test.json
arjun -u http://site.example.com -t 5
arjun -u http://site.example.com --stable
Written by Somdev Sangwan <
[email protected]>
This manual page was written by Guilherme de Paula Xavier Segundo
<
[email protected]> for the Debian project (but may be used by
others).