Arjun - HTTP Parameter Discovery Suite

Arjun is a web application security tool that can help to find query parameters for URL endpoints. Query parameters are used by an attacker to hunt various vulnerabilities. For Example, XSS (Cross-Site Scripting), SQL Injection, LFI, RFI, and etc. With the help of this tool, you will understand what type of parameter is vulnerable. Then you can try payloads on those parameters.

Consider the following example of how parameters (or queries) are used in web applications to accept user input: Here the parameter is id.

http://www.hackhunt.in/userinfo?id=92577488

Explanation: A parameter termed admin, whenever set to true, will cause the endpoint to give extra information about a user whenever the URL is accessed. So we need to identify these kinds of valid HTTP arguments and this is exactly what Arjun performs.

Installation

There are two ways to install the Arjun tool in the Kali Linux system:
  • One: This tool comes as pip repository.
    Already installed on the machine

    • Two: You can clone it from Github. Command: git clone https://github.com/s0md3v/Arjun.git
    via GitHub Repository
    • To install, command: sudo python3 install setup.py
    Manual Installation
    • After installing, you can check the tool capability with --help or -h command: arjun -h.
    Help Command / All Options
    • For Example, we are taking a vulnerable website called testphp.vulnweb.com. Here, search anything in the search box and it will give parameters in the URL. To run the Arjun tool, it needs parameters from which it will find that it is vulnerable or not, so copy the URL.
    Get URL with Parameter
    • -u: With this argument, you can specify the URL. In this scenario, $ arjun -u http://testphp.vulnweb.com/search.php?test=query.
    Search for Parameters
    • It reflects that the goButton and searchFor input will reflect. So from attacker point of view, these parameters are not sanitized. We can try any payload for example in this case with a basic XSS payload: <script>alert(“HackHunt”)</script>.
    • We can try the above payload in the search box.
    Basic XSS Payload
    XSS Payload executed means this parameter is vulnerable. Similarly you can find parameters with the help of this tool and try to hunt with the payload.
    Now, 
    • -t: This argument is used to pass the threads.
    • -c: This argument is used to put the chunks which basically by default taken by Arjun tool but we can also minimize and maximize the chunk size with this argument.
    • --stable: This argument is used to prefer stability as compare to faster speed, because sometime faster speed will doudge some sensitive information.
    If all of these arguments, used collectively then it will give you better output but it will take time to get back to it.
    Result with the Options
    • After adding some argument in the search parameter URL. We tried on signup page on the same website (testphp.vulnweb.com) with -t (thread) = 100, and it found more parameters which maybe vulnerable like uname & pass along with searchFOR & goButton.
    With 100 Thread
    • --passive: This argument will help, when there is no parameter found. Still it give outputs, means it collects possible vulnerable parameters points by passive sources like wayback, gau, otx etc.
    With Passive
    Note: Some arguments by default take their own suitability (for example -w which is used for wordlist but by default arjun have their own wordlist). So, it’s better to not change those argument with some instance because arjun already known how to run with their default values. It is also shown in the help command that which argument is taken as default and where you have to type something.
    If you want to know the whole argument working you can refer to this document: https://github.com/s0md3v/Arjun/wiki/Usage
    We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

    No comments:

    Post a Comment