Arjun – Hidden HTTP Parameter Discovery Suite in Kali Linux
When a security researcher tries to hack a web application to test the security of a web application, sometimes it becomes a challenging task due to the sheer amount of moving parts they possess. The web applications use HTTP requests and parameters for GET and POST methods. But sometimes developers of web applications conceal these details from the user due to internal security reasons for the web applications. However, Arjun is a tool that can help security researchers in such situations. This tool helps security researchers to discover hidden HTTP parameters in web applications. HTTP parameters are also called query strings, which you see in the URL bar. The following is an example of an HTTP parameter.
Arjun is an Indian bug bounty tool. The Arjun tool is famous for finding query parameters for URL endpoints on the links of websites and web apps. This tool is a lightweight tool and can find parameters in 10 seconds by just making 20-40 requests to the target domain. This tool has an in-built default dictionary of 10,985 parameter names, which makes it more powerful to find query parameters in URL. This tool provides a command-line interface that you can run on Kali Linux. This tool can be used to get information about our target(domain), which can be a website or an IP address. The interactive console provides a number of helpful features, such as command completion and contextual help.
Step 1: Open your kali Linux operating system and use the following command to install the tool. After installing the tool, you have to move into the directory of the tool using the second command. To list out the contents of the directory, use the third command that is given below.
git clone https://github.com/s0md3v/Arjun.git cd Arjun ls -l
Step 2: The tool has been downloaded successfully. Now use the following command to install the tool.
python3 setup.py install
Step 3: The tool has been installed successfully. Now use the following command to run the tool.
The help menu of the tool is opened. The tool is running successfully. Now let’s see some examples which will show usages of the tool.
Example 1: Use the arjun tool to find the endpoints of a URL.
arjun -u http://testphp.vulnweb.com/listproducts.php
The tool giving all the information above can be useful for a security researcher.
Example 2: Use the arjun tool to find the endpoints of a URL with the -u flag.
arjun -u http://testphp.vulnweb.com/listproducts.php -o new.json
And to search for JSON parameters, use the –json option or new.json option with -o flag
Example 3: Use the arjun tool to find the endpoints of a URL with -u flag with the heuristic scanner.
arjun -u http://google.com
The -u flag is the simple way to run the tool. You have to apply the -u URL to the tool with the valid URL.
Example 4: Use the arjun tool to find endpoints of a URL with -u flag and thread drag.
arjun -u http://google.com -t 5