Hidden parameters discovery suite
The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss. Greater accuracy is achieved thanks to the line-by-line comparison of pages, comparison of response code and reflections.
Information
when WAF is detected.%s
or &%s
25000
words, 5 threads)63000
words, 15 threads)
Feel free to check whether the tool works as expected and compare it with other tools at https://4rt.one/index.html There are 2 reflected parameters, 4 parameters that change code/headers/body, and one extra parameter with a not random value.
Thanks to Sh1Yo for the wonderful x8 utility. He added special functions into it so that we could write this wrapper. We also spotted some bugs, specifically in HTTP/2, for Burp Suite compatibility. To examine and understand the project in detail, or if you need a command line version, click here.
25000
words, 1 threadYou need to configure Jython Standalone path in Burp Suite Extender options.
As this is a wrapper, a precompiled binary is used.
Burp -> Extender -> ./x8-Burp/linux_x8.py
Burp -> Extender -> ./x8-Burp/win_x8.py