// arsenal·Web AppSecBeginnerFOSS

Arjun

HTTP parameter discovery tool — finds hidden GET/POST params.

Web AppSec

$ arjun --help

Arjun

// what it is

Description

s0md3v's small-but-essential tool: bruteforces parameter names and identifies those that change response behavior. Critical first step for finding hidden endpoints and bypasses.

// use cases

What people use it for

Parameter mining before manual testing
Find hidden admin parameters

// commands

The commands you'll type

GET param mining

$ arjun -u https://target/page -m GET

// facts

category: Web AppSec
platforms: LIN · WIN · MAC
license: FOSS
difficulty: Beginner

// links

// related in Web AppSec

Web AppSecIntermediate

Burp Suite

PortSwigger's intercepting HTTP proxy — the de facto web app testing platform.

OWASP ZAP

The free, OWASP-stewarded alternative to Burp.

Nikto

Loud-but-fast web server scanner — checks for thousands of misconfigurations.

FOSS

LIN·WIN·MAC

open entry →