Params — Discovering Hidden Treasure in WebApps

Hey Guys!! What's Going on? 👋 I was thinking of Tweeting about parameter discovery in web apps lately, however, while I was composing the tweet, the thread grew to 5 tweets as I included everything wordlist, tools, and approach. Then I thought, why not just publish on Medium without worrying about tweet limits? So there you have it, enjoy !! 😉

Why?

The first thing that may spring to mind is why parameter discovery is essential, right?

Well…!! , If you’re new to web app pentesting or have been doing it for a while, identifying unlinked, unknown, or hidden parameters in the target application might lead to juicy information or vulnerabilities because they don’t get much attention and are often not properly configured.

When you see a parameter in Bug Bounties, everyone starts spamming their payload list, don’t worry if you’re doing it right because I was doing the same at the beginning, it’s not a wrong method but should be done at the end after you’ve tried everything else, and most of the time when you report it, they go dup, right? Because someone else is doing the same thing or employing the same technique.

Now I hope you understand why it is crucial to detect hidden parameters; it can help you find vulnerabilities such as XSS, IDOR, SSRF, Privilege escalation, LFI, Open Redirects, and so on. Even in some case PII Leaks 😎 Which are missed by many people.

Methodology :

Let’s get started with the methodology! It’s Pretty Simple “Guess Everywhere!! “, just kidding “don’t kill the server.”

When and Where to do fuzzing :

1. Whenever you see an empty page and you get 200 OK in response.
2. On commonly seen endpoints, For Example: login.php?Fuzz_Here or /login?FUZZ_Here
3. And Uncommon Endpoints is a must, For Example: /Thisendpointmakesnosense.php?FUZZ or /something?Fuzz
4. In Post body as well, not many of you do this or do you?
5. In addition, also on the functionality which already has many parameters in its request.

I generally give the endpoint to the parm-miner in burp for guessing while testing it in the repeater, and if the param-miner doesn’t discover anything, I use some wordlist in intruder or another tool like x8 or Arjun. While fuzzing, something to keep in mind is to restrict the number of parameters and threads in the tools you’re using and ensure that the programme allows for fuzzing.

Overall What to Do:

1. Choose the most appealing target endpoint.
2. With a wordlist, send it to Tool for Fuzzing Params.
3. If there is anything in the output, manually test for XSS, SSRF, Privilege escalation, and so on.!!

Quite simple, isn’t it? 😜 Why don’t you give it a shot on your next pentesting?

Wordlist:

I follow the order listed below, but it may vary depending on the target. I usually find something using param-miner and Arjun Default Wordlist, but you may need to use others as well if you have the feeling that “I am Sure I am Gonna Find Something Here, This Seems Interesting.” This occurs to you when you see an endpoint, but only if you have extensive familiarity with or understanding of the web application.

Public:

1. Arjun all default wordlists: https://github.com/s0md3v/Arjun/tree/master/arjun/db
2. Param-miner “params” : https://github.com/PortSwigger/param-miner/blob/master/resources/params
3. Assetnote “parameters_top_1m”: https://wordlists.assetnote.io/
4. nullenc0de “params.txt”: https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773

You can combine all of this to make the ultimate wordlist, but I’ll leave that up to you. 👍 Also, this is not an exhaustive list; there are many more on the internet; these are just a handful that I frequently use!

Custom wordlist:

A public wordlist can be used, but occasionally a custom target specific wordlist is required. Now, I generally use this when I’m working on a large scope or have a lot of targets to test in scope. Because some parameters are occasionally utilised in a specific sub-domain, but because the developer loves to copy-paste programmes, they may also function on another target.😆

Here is the onliner I use to generate the wordlist:

cat urls | unfurl format %q | cut -d "=" -f1 | sort -u > params.txt

Before you run this make sure you have collected URLs of all subdomains using gau or waybackurls and have installed unfurl

cat subdomains.txt | gau > urls

Now, that is one of the methods, but what if I told you that there is a better method, well, this method which I am going to share with you is using Burp itself, the only problem with this method is that it is slow because you need to crawl the site manually, but this can be overcome if you have Burp Pro.

You will require the getAllParams extension, which you can install in Burp Community as well as Pro.

Steps:

1. Install and configure the Extension.
2. Crawl the target manually or automatically.
3. Go to the Burp Target Tab, pick the domains for which you want to build a wordlist, right-click, and choose “Get All Params” from the list.
   Target -> Extension -> Get All Params
4. Now, navigate to the “Get All Params” tab and copy all of the parameters shown under “Potential parameters found” and paste them into a text file.
5. That’s it done now you can use this wordlist in any of the tools mentioned “Tools:” Section.

The advantage of this technique is that it collects parameters from several fields and vectors, as opposed to simply the URL GetRequest stated in the previous approach.

Tools:

These are the tools that work for me; if you have any others, you can use them as well. 👍

1. x8: https://github.com/Sh1Yo/x8
2. Arjun: https://github.com/s0md3v/Arjun
3. Param-miner: https://github.com/PortSwigger/param-miner
4. Parameth: https://github.com/maK-/parameth

Here’s an excellent blog that compares the first three: https://4rt.one/blog/1.html

You may also use other tools such as ffuf or even the burp intruder itself, but I like to use tools that are particularly designed for the job. 😬

Conclusion,

Parameter discovery may be highly useful, but many people neglect it or are unaware of it, and they often forget or are oblivious of when to perform it. If you want to locate those hidden bugs, this might be a wonderful step to begin. With that, I’d like to finish, and I hope you succeed on your next hunt. 😄👍

Also, don't forget to share your ideas and criticism with me.

You may find me on the following platforms:

Twitter — https://twitter.com/KathanP19
LinkedIn — https://www.linkedin.com/in/kathan-patel-01b80516a/
Youtube — youtube.com/c/KathanPatel
Github — https://github.com/KathanP19

Also, if you want to see more posts like this, please support me by purchasing a cup of coffee.
https://www.buymeacoffee.com/kathanp19

Until the next time, have a great day!! 😄