The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss.

Last update: Nov 14, 2022

Overview

Hidden parameters discovery suite wrapper

The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss. Greater accuracy is achieved thanks to the line-by-line comparison of pages, comparison of response code and reflections.

Features

Selecting multiple requests from the Proxy or Repeater tab.
Each selected request is executed in a separate thread.
Automatic Issue creation when hidden parameter is found.
HTTP/2 Support.
Requests with detected parameters are visible in the Proxy tab.
Issue is added with severity Information when WAF is detected.
Automatic detection of injection point. If the request body exists, then parameters in URL-Query are ignored.
Custom injectin point can be defined using %s or &%s

Usage

There are four search choices available:
- Small Wordlist (Recommended, 25000 words, 5 threads)
- Large Wordlist (63000 words, 15 threads)
- x8083 - all request will be proxied via port 8083 (for example, you can configure the port in Burp)
- Debug Params - the minimum number of requests to detect only debug parameters and parameters based on response

Test

Feel free to check whether the tool works as expected and compare it with other tools at https://4rt.one/. There are 2 reflected parameters, 4 parameters that change code/headers/body, and one extra parameter with a not random value.

Detected parameters

Acknowledgement

Thanks to Sh1Yo for the wonderful x8 utility. He added special functions into it so that we could write this wrapper. We also spotted some bugs, specifically in HTTP/2, for Burp Suite compatibility. To examine and understand the project in detail, or if you need a command line version, click here.

Follow-up plan

Implementation of a panel for configuring custom proxy
Windows version
Implementation of a choice - 25000 words, 1 thread
Adding to BApp Store

Video

Installation

You need to configure Jython Standalone path in Burp Suite Extender options.
As this is a wrapper, a precompiled binary is used.

Linux

from releases

Burp -> Extender -> ./x8-Burp/linux_x8.py

Windows
- from releases
```
Burp -> Extender -> ./x8-Burp/win_x8.py
```

Extended functionality for Namebase past their web UI

Namebase Extended Extended functionality for Namebase past their web UI.

12 Sep 2, 2022

This repo contains scripts that add functionality to xbar.

xbar-custom-plugins This repo contains scripts that add functionality to xbar. Usage You have to add scripts to xbar plugin folder. If you don't find

1 Jan 10, 2022

This tool helps you to reverse any regex and gives you the opposite/allowed Letters,numerics and symbols.

Regex-Reverser This tool helps you to reverse any regex and gives you the opposite/allowed Letters,numerics and symbols. Screenshots Usage/Examples py

0 Jun 2, 2022

Ssma is a tool that helps you collect your badges in a satr platform

satr-statistics-maker ssma is a tool that helps you collect your badges in a satr platform 🎖️ Requirements python = 3.7 Installation first clone the

3 Jan 4, 2022

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

36 Nov 2, 2022

Given tool find related trending keywords of input keyword

blog_generator Given tool find related trending keywords of input keyword (blog_related_to_keyword). Then cretes a mini blog. Currently its customised

2 Nov 30, 2021

PyPI package for scaffolding out code for decision tree models that can learn to find relationships between the attributes of an object.

Decision Tree Writer This package allows you to train a binary classification decision tree on a list of labeled dictionaries or class instances, and

2 Apr 23, 2022

A simple python project that can find Tangkeke in a given image.

A simple python project that can find Tangkeke in a given image. Make the real Tangkeke image as a kernel to convolute the target image. The area wher

1 Dec 8, 2021

scap is a tool for putting code in places and for other purposes

Scap is the deployment script used by Wikimedia Foundation to publish code and configuration on production web servers.

7 Nov 2, 2022

Comments

Multiple Attacks on different targets/end points

hey , first of all thanks for the amazing tool.. it looks good and works fantastic. I have tested it when I run multiple tests it sometimes skip the first one.

so do we have to wait until the small/large wordlist completes on one end point ? or can we run x8 on multiple targets/endpoints at same time ?

Thank you

opened by newfolderj 4

The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss.

Related tags

Overview

Hidden parameters discovery suite wrapper

Features

Usage

Test

Detected parameters

Acknowledgement

Follow-up plan

Video

Installation

You might also like...

Extended functionality for Namebase past their web UI

This repo contains scripts that add functionality to xbar.

This tool helps you to reverse any regex and gives you the opposite/allowed Letters,numerics and symbols.

Ssma is a tool that helps you collect your badges in a satr platform

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

Given tool find related trending keywords of input keyword

PyPI package for scaffolding out code for decision tree models that can learn to find relationships between the attributes of an object.

A simple python project that can find Tangkeke in a given image.

scap is a tool for putting code in places and for other purposes

Comments

Multiple Attacks on different targets/end points

Releases(v0.1.2)

v0.1.2(Jul 21, 2021)

v0.1.1(Jul 20, 2021)

v0.1.0(Jul 18, 2021)

Owner

Data 25 Star Wars Project With Python

Experimental proxy for dumping the unencrypted packet data from Brawl Stars (WIP)

A compilation of useful scripts to automate common tasks

An awesome list of AI for art and design - resources, and popular datasets and how we may apply computer vision tasks to art and design.

Python Control Systems Library

This is a database of 180.000+ symbols containing Equities, ETFs, Funds, Indices, Futures, Options, Currencies, Cryptocurrencies and Money Markets.

Мой первый калькулятор!!!!!!

Huggingface package for the discrete VAE used for DALL-E.

Identify and annotate mutations from genome editing assays.

A Python feed reader library.

An addin for Autodesk Fusion 360 that lets you view your design in a Looking Glass Portrait 3D display

A free website that keeps the people informed about housing and evictions.

Parser for air tickets' price

Think DSP: Digital Signal Processing in Python, by Allen B. Downey.

Magenta: Music and Art Generation with Machine Intelligence

Syarat.ID Source Code - Syarat.ID is a content aggregator website

My repository for the Advent of Code, starting from 2021

Python library for the analysis of dynamic measurements

Streamlit apps done following data professor's course on YouTube

XlvnsScriptTool - Tool for decompilation and compilation of scripts .SDT from the visual novel's engine xlvns