Arjun is a web
application security tool that can help to find query parameters for URL
endpoints. Query parameters are used by an attacker to hunt various
vulnerabilities. For Example, XSS (Cross-Site Scripting), SQL Injection, LFI,
RFI, and etc. With the help of this tool, you will understand what type of
parameter is vulnerable. Then you can try payloads on those parameters.
Consider the following example of how parameters (or queries) are used in web
applications to accept user input: Here the parameter is id.
http://www.hackhunt.in/userinfo?id=92577488
Explanation: A parameter termed
admin, whenever set to true, will cause the endpoint to give extra information
about a user whenever the URL is accessed. So we need to identify these kinds
of valid HTTP arguments and this is exactly what Arjun performs.
Installation
There are two ways to install the Arjun tool in the Kali Linux system:
-
One: This tool comes as pip repository.
|
Already installed on the machine
|
-
Two: You can clone it from GitHub. Command: git clone https://github.com/s0md3v/Arjun.git
|
via GitHub Repository
|
-
To install, command: sudo python3 install setup.py
|
Manual Installation
|
-
After installing, you can check the tool capability with
--help
or -h command:
arjun -h.
|
Help Command / All Options
|
-
For Example, we are taking a vulnerable website called
testphp.vulnweb.com. Here, search for anything in the
search box and it will give parameters in the URL. To run the Arjun
tool, it needs parameters from which it will find whether it is
vulnerable or not, so copy the URL.
|
Get URL with Parameter
|
-
-u: With this argument, you can specify the URL. In this
scenario, $
arjun -u http://testphp.vulnweb.com/search.php?test=query.
|
Search for Parameters
|
-
It reflects that the goButton and
searchFor input will reflect. So from the attacker's
point of view, these parameters are not sanitized. We can try any
payload for example in this case with a basic XSS payload:
<script>alert(“HackHunt”)</script>.
- We can try the above payload in the search box.
|
Basic XSS Payload
|
XSS Payload executed means this
parameter is vulnerable. Similarly, you can find parameters with the
help of this tool and try to hunt with the payload.
Now,
-
-t: This argument is used to pass the threads.
-
-c: This argument is used to put the chunks which are
basically by default taken by the Arjun tool but we can also
minimize and maximize the chunk size with this argument.
-
--stable: This argument is used to prefer stability as
compared to faster speed because sometimes faster speed will
dodge some sensitive information.
If all of these arguments are used collectively then it will give
you better output but it will take time to get back to it.
|
Result with the Options
|
-
After adding some argument in the search parameter URL. We tried
on the signup page on the same website (testphp.vulnweb.com)
with
-t (thread) = 100, and it found more parameters that
maybe vulnerable like uname & pass along with
searchFOR & goButton.
|
With 100 Thread
|
-
--passive: This argument will help, when there is no
parameter found. Still, it gives outputs, which means it
collects possible vulnerable parameter points by passive sources
like wayback, gau, otx etc.
|
With Passive
|
Note: Some
arguments by default take their own suitability (for
example -w which is used for wordlist but by default Arjun has
their own wordlist). So, it’s better to not change those arguments
with some instances because Arjun already knows how to run with
their default values. It is also shown in the help command which
argument is taken as default and where you have to type something.
We hope this helps. If any suggestions or doubts you can add a
comment and we will reply as soon as possible.
No comments:
Post a Comment