Arjun - HTTP Parameter Discovery Suite

Arjun is a web application security tool that can help to find query parameters for URL endpoints. Query parameters are used by an attacker to hunt various vulnerabilities. For Example, XSS (Cross-Site Scripting), SQL Injection, LFI, RFI, and etc. With the help of this tool, you will understand what type of parameter is vulnerable. Then you can try payloads on those parameters.

Consider the following example of how parameters (or queries) are used in web applications to accept user input: Here the parameter is id.

Explanation: A parameter termed admin, whenever set to true, will cause the endpoint to give extra information about a user whenever the URL is accessed. So we need to identify these kinds of valid HTTP arguments and this is exactly what Arjun performs.


There are two ways to install the Arjun tool in the Kali Linux system:
  • One: This tool comes as pip repository.
    Already installed on the machine

    • Two: You can clone it from GitHub. Command: git clone
    via GitHub Repository
    • To install, command: sudo python3 install
    Manual Installation
    • After installing, you can check the tool capability with --help or -h command: arjun -h.
    Help Command / All Options
    • For Example, we are taking a vulnerable website called Here, search for anything in the search box and it will give parameters in the URL. To run the Arjun tool, it needs parameters from which it will find whether it is vulnerable or not, so copy the URL.
    Get URL with Parameter
    • -u: With this argument, you can specify the URL. In this scenario, $ arjun -u
    Search for Parameters
    • It reflects that the goButton and searchFor input will reflect. So from the attacker's point of view, these parameters are not sanitized. We can try any payload for example in this case with a basic XSS payload: <script>alert(“HackHunt”)</script>.
    • We can try the above payload in the search box.
    Basic XSS Payload
    XSS Payload executed means this parameter is vulnerable. Similarly, you can find parameters with the help of this tool and try to hunt with the payload.
    • -t: This argument is used to pass the threads.
    • -c: This argument is used to put the chunks which are basically by default taken by the Arjun tool but we can also minimize and maximize the chunk size with this argument.
    • --stable: This argument is used to prefer stability as compared to faster speed because sometimes faster speed will dodge some sensitive information.
    If all of these arguments are used collectively then it will give you better output but it will take time to get back to it.
    Result with the Options
    • After adding some argument in the search parameter URL. We tried on the signup page on the same website ( with -t (thread) = 100, and it found more parameters that maybe vulnerable like uname & pass along with searchFOR & goButton.
    With 100 Thread
    • --passive: This argument will help, when there is no parameter found. Still, it gives outputs, which means it collects possible vulnerable parameter points by passive sources like wayback, gau, otx etc.
    With Passive
    Note: Some arguments by default take their own suitability (for example -w which is used for wordlist but by default Arjun has their own wordlist). So, it’s better to not change those arguments with some instances because Arjun already knows how to run with their default values. It is also shown in the help command which argument is taken as default and where you have to type something.
    If you want to know the whole argument works you can refer to this document:
    We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

    No comments:

    Post a Comment