BIPI
BIPI

Parameter Mining Tips: Arjun, ParamSpider, and Hidden Inputs

Cybersecurity

Hidden parameters are where IDORs, SSRFs, and debug flags live. Learn how to mine them with Arjun and ParamSpider without poisoning your results.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 18, 2023 · 8 min read

#bug-bounty#parameter-mining#arjun#paramspider#idor

Why hidden parameters matter

An endpoint with three documented params often accepts ten. The undocumented seven are where debug toggles, admin overrides, and IDOR friendly fields live. Parameter mining surfaces them.

Start with passive sources

  • paramspider against the target domain to extract historical params
  • gau and waybackurls, filtered for query strings
  • Your own JS analysis output, parameters often appear as object keys
  • Burp history, exported and grepped for param names per host

Build a per target wordlist from these sources. Generic param lists from SecLists are fine as a base, but a target tuned list will always find more.

Arjun for active discovery

  1. arjun -u https://target.com/api/v1/users with your custom wordlist
  2. Use --stable when the response varies between identical requests
  3. Run on POST endpoints too, not just GET, with -m POST
  4. Save output per endpoint so you can compare runs

Where hidden params pay off

  • debug, test, admin, internal, role flags that bypass checks
  • userId, accountId, ownerId variants that expose IDOR
  • url, redirect, next, callback that expose SSRF or open redirect
  • format, output, type that switch parsers and reveal stacks
  • include, fields, expand that pull extra data into responses

Test methodically

Once you have candidates, fire each against the endpoint with a probe value. For IDOR candidates, pass another user's ID. For SSRF candidates, pass a controlled host. For role flags, pass true. Watch for response changes in body, status, or headers.

Stats from real programs

30 percent
of endpoints accept undocumented params
Top finds
debug, admin, role
1 in 10
candidates yields real impact

Common mistakes

  • Running Arjun without --stable on chatty endpoints
  • Using only the default wordlist on a domain specific target
  • Forgetting to test POST and PUT, not just GET
  • Reporting reflected param names as XSS without checking sanitization
Hidden parameters are the cheapest path from boring endpoint to high severity bug. Mine them on every fresh target.

Wire it in

Add parameter mining as a phase after content discovery and before active fuzzing. For every endpoint that returns a non error response, kick off Arjun with your tuned list. The cost is low. The payoff is steady.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.