Each month, YesWeHack publishes articles on exploitation techniques, tools and tips to help hunters find vulnerabilities in their reconnaissance process and hunting routine. The goal is to provide ideas and keys to attack and understand the various web technologies hunters may face on their private programs.
Web applications & APIs are often the highly exposed asset of any organization. With the use of modern frameworks, the development process becomes handy and faster. However, often the developers leave some parameters unlinked, unreferenced or unintentionally/accidentally open for use. Often, attackers may utilize these to perform attacks such as Cross-Site Scripting (XSS), Open Redirection, Server-Side Request Forgery (SSRF), SQL Injection and others.
In this article, we will be discussing identifying the hidden attack surface by identifying the hidden parameters.
Parameter Discovery — Introduction
The process of identifying unlinked, unreferenced or simply hidden parameters that are accepted by the application and could allow a user to control the behaviour of the application using these hidden parameters is often known as Parameter Discovery.
As mentioned, the hidden parameters may allow an attacker to control the behaviour of the application and may result in the execution of successful attack scenarios such as Cross-Site Scripting, Open Redirection, SQL Injection, Local File Inclusion, Command Injection, Server-Side Request Forgery, Server-Side Template Injection and other security vulnerabilities such as an IDOR.
Hence, it is an essential step to perform parameter discovery as part of your Recon process for building an attack surface that is inclusive of the Hidden Attack Surface through these parameters. This often helps bug bounty hunters and security professionals to find unconventional and high reward paying bugs.
Since the purpose and motivation behind identifying the Hidden Parameters is now clear, let’s look for different tools & methodology to perform parameter discovery.
Tools for performing Parameter Discovery:
Arjun is a python based command-line tool that helps in the detection of the parameters present in the application. By default, the tool utilizes a custom wordlist to check for the parameters but this can be modified by the user to set their own parameters.
Detailed information and installation instructions can be found on the official repository of the Arjun tool: https://github.com/s0md3v/Arjun
Finding Hidden Parameters using Arjun
- Run the following command: arjun -u https://demo.testfire.net
- Observe the parameters returned by the tool.
Note: By default, the tool uses GET request method but you can define other methods such as POST by using -m flag. Ex: python3 arjun.py -u https://target.com/test -m POST
ParamSpider is a python based command-line tool that helps in the identification of the parameters. It has the ability to find parameters from web archives, subdomains and other sources as well. This is one of the most effective tools to identify the parameters.
Detailed information and installation instructions can be found on the official repository of the ParamSpider tool: https://github.com/devanshbatham/ParamSpider
Finding Hidden Parameters with ParamSpider
- Run the following command: python3 paramspider.py -d <target_domain> –level high
- Observe the output returned by the tool.
Param-Miner is a Burp Suite Extension that is handy and useful to find hidden and unlinked parameters that are specifically useful while looking for the Web Cache Poisoning related vulnerabilities.
Detailed information about the extension can be found here: https://github.com/PortSwigger/param-miner
As per the official GitHub Repository, the tool combines advanced diffing logic from Backslash Powered Scanner with a binary search technique to guess up to 65,000 parameters names per request. Param names come from a carefully curated built-in wordlist, and it also harvests additional words from all in-scope traffic.
To use it, right-click on a request in Burp and click “Guess (cookies|headers|params)”. If you’re using Burp Suite Pro, identified parameters will be reported as scanner issues. If not, you can find them listed under Extender -> Extensions -> Param Miner -> Output
Automating Vulnerabilities Example:
In this section, we will look at a simple example of chaining multiple tools to perform parameter discovery and further utilize the identified parameters to check against cross-site scripting using tools such as KXSS.
First, let’s perform parameter discovery using ParamSpider:
python3 paramspider.py --domain <target_domain> --level high --output params.txt
Now, We have all the parameters identified, let’s run XSS GF patterns to extract the parameters that could be vulnerable to XSS:
gf xss.json params.txt | tee xss.txt
Let’s run the Dalfox tool (https://github.com/hahwul/dalfox) on the URLs that are potentially vulnerable to XSS:
> cat xss.txt | dalfox pipe
Observe that we have found some valid Cross-Site Scripting Issues
As we were able to find valid cross-site scripting issues, you can also attempt to write your own one-liners or small scripts to automate other security vulnerabilities as well.
Thank you for reading the article till the end and we hope you have learned something new. Make sure to check out the programs on the YesWeHack platform and apply your newly learned skills to find some interesting security vulnerabilities. We will be back with some other interesting articles soon.