Arjun : HTTP Parameter Discovery Suite

Arjun is a web applications use parameters (or queries) to accept user input, take the following example into consideration.

http://api.example.com/v1/userinfo?id=751634589

This URL seems to load user information for a specific user id, but what if there exists a parameter named admin which when set to True makes the endpoint provide more information about the user?
This is what Arjun does, it finds valid HTTP parameters with a huge default dictionary of 25,980 parameter names.

The best part? It takes less than 30 seconds to go through this huge list while making just 50-60 requests to the target.

Also Read – Uac-A-Mola : Tool For Security Researchers To Investigate New UAC Bypasses

How Arjun Works?

Step #1

A request to the URL is made and the response length, plain-text length and response code are stored for comparison in later steps.
If any HTML form is found in the response, Arjun extracts field names from it and adds it to parameter name list for further checking.

Step #2

A second request to the URL is made but this time, a randomly generated parameter (expected to be non-existent) is added to the request to determine the behavior of the web application towards a non-existent parameter.
Number of reflections, response length, plain-text length and response code are stored for comparison in later steps.
These characteristics are also compared against the first request characteristics to determine what changes should be ignored to keep off false positives.

Step #3

A huge list of 25,980 parameters name list is loaded and divided into 25 different parts. All the parameter names of a part are sent in a single request with randomly generated values and hence a total of 25 requests are made.
Responses of these requests are compared with the previous data and the parts which didn’t cause any change in response are rejected.

Step #4

Every part which caused deviation in response is divided in two parts, and requests are made with each of them.
The part which doesn’t cause any change is again rejected and part which caused change is further divided into two parts. This process is continued until there’s just one or no parameters are left in each part. Empty parts are obviously rejected and the single parameter names are marked as valid.

Note: Reflections are tracked separately which means if value of a parameter is found to be reflected, Arjun picks it up and flags it as potentially valid right away.

Features

  • Multi-threading
  • Thorough detection
  • Automatic rate limit handling
  • A typical scan takes 30 seconds
  • GET/POST/JSON methods supported
  • Huge list of 25,980 parameter names