Skip to content

HTTP Hidden Parameters

Web applications often have hidden or undocumented parameters that are not exposed in the user interface. Fuzzing can help discover these parameters, which might be vulnerable to various attacks.

Summary

Tools

Exploit

Bruteforce parameters

  • Use wordlists of common parameters and send them, look for unexpected behavior from the backend.
    x8 -u "https://example.com/" -w <wordlist>
    x8 -u "https://example.com/" -X POST -w <wordlist>
    

Wordlist examples: - Arjun/large.txt - Arjun/medium.txt - Arjun/small.txt - samlists/sam-cc-parameters-lowercase-all.txt - samlists/sam-cc-parameters-mixedcase-all.txt

Old parameters

Explore all the URL from your targets to find old parameters. * Browse the Wayback Machine * Look through the JS files to discover unused parameters

References