Arjun : HTTP Parameter Discovery Suite

Arjun is a web applications use parameters (or queries) to accept user input, take the following example into consideration.

http://api.example.com/v1/userinfo?id=751634589

This URL seems to load user information for a specific user id, but what if there exists a parameter named admin which when set to True makes the endpoint provide more information about the user?
This is what Arjun does, it finds valid HTTP parameters with a huge default dictionary of 25,980 parameter names.

The best part? It takes less than 30 seconds to go through this huge list while making just 50-60 requests to the target.

Also Read – Uac-A-Mola : Tool For Security Researchers To Investigate New UAC Bypasses

How Arjun Works?

Step #1

A request to the URL is made and the response length, plain-text length and response code are stored for comparison in later steps.
If any HTML form is found in the response, Arjun extracts field names from it and adds it to parameter name list for further checking.

Step #2

A second request to the URL is made but this time, a randomly generated parameter (expected to be non-existent) is added to the request to determine the behavior of the web application towards a non-existent parameter.
Number of reflections, response length, plain-text length and response code are stored for comparison in later steps.
These characteristics are also compared against the first request characteristics to determine what changes should be ignored to keep off false positives.

Step #3

A huge list of 25,980 parameters name list is loaded and divided into 25 different parts. All the parameter names of a part are sent in a single request with randomly generated values and hence a total of 25 requests are made.
Responses of these requests are compared with the previous data and the parts which didn’t cause any change in response are rejected.

Step #4

Every part which caused deviation in response is divided in two parts, and requests are made with each of them.
The part which doesn’t cause any change is again rejected and part which caused change is further divided into two parts. This process is continued until there’s just one or no parameters are left in each part. Empty parts are obviously rejected and the single parameter names are marked as valid.

Note: Reflections are tracked separately which means if value of a parameter is found to be reflected, Arjun picks it up and flags it as potentially valid right away.

Features

  • Multi-threading
  • Thorough detection
  • Automatic rate limit handling
  • A typical scan takes 30 seconds
  • GET/POST/JSON methods supported
  • Huge list of 25,980 parameter names
R K

Recent Posts

Install Pip on Ubuntu 18.04: Python 3 and Python 2 Setup Guide

Pip is the official package manager for Python and the standard way to install libraries from…

1 day ago

Install R on Ubuntu 18.04 from CRAN: Statistical Computing Setup

R is an open-source programming language and environment built for statistical computing and data visualization. It…

1 day ago

Install Jenkins on Ubuntu 18.04: CI/CD Server Setup Guide

Jenkins is an open-source automation server that makes it easy to build CI/CD pipelines. Continuous integration…

1 day ago

Install Android Studio on Ubuntu 18.04 with Snap and OpenJDK 8

Android Studio is the official IDE for Android development, built on JetBrains' IntelliJ IDEA platform. It…

1 day ago

Install and Configure GitLab on Ubuntu 18.04 with Omnibus

GitLab is a web-based, open-source Git repository manager written in Ruby. It includes built-in tools for…

1 day ago

Install Anaconda on Ubuntu 18.04: Python Data Science Setup Guide

Anaconda is the most widely used Python distribution for data science and machine learning. It bundles…

2 days ago