Hunting for Hidden Parameters in Burp Suite

Published in

MII Cyber Security Consulting Services

3 min readFeb 26, 2024

Image Source: https://www.infographicportal.com/10-hidden-urls-to-help-you-rule-the-web/

Let me start this post by prefacing a bold statement:

Hidden parameters are often overlooked, and you could miss out if you don’t start looking for them in your next bug bounty/ pen-test engagement.

In this article, I will be talking about how you could look for hidden parameters in Burp Suite by using the “Param Miner” extension.

First of all, there’s an important question that we need to ask ourselves:

Where do we look for hidden parameters?
Ideally everywhere. But if time is not on your side, try to look where there’s potentially an access-control bypass, for example, 403 forbidden pages and pages that automatically redirect to another page.

Let’s Try it on a Real Website…

I tested this on a website, let’s call it target.com. Every time I enter https://target.com/index.php, it will redirect automatically to https://target.com/.
Many people will ignore this, but we won’t (at least after reading this post).

Next, we should fire the “Param Miner” extension, as shown in the image below:
There are 4 options: Guess GET parameters, Guess cookie parameters, Guess headers, and Guess everything. In this case, I only picked the GET parameter option, but you should try the others as well.

Then, you will be faced with a pop-up window to configure the settings. Just click on “Ok”.

After that, the extension should be running. You can see the progress and results by going to the “Extensions” tab on your Burp Suite. Then go to “Installed -> Param Miner -> Output” as shown in the image below.

We got 4 parameters: search, route, tracking, and popup. Let’s test them out in Repeater.

I used “testbugbounty” as the test value for my experiments. It can be seen below that I no longer got redirected (no 3xx HTTP response code), and the string “testbugbounty” got reflected in the source code and response headers.