BUG BOUNTY: FIND HIDDEN PARAMETERS
Hey everyone! I hope you all are doing good and hunting bugs. In this article, we are going to learn how to find hidden parameters in web application. I am actually not very active on Medium because me and my friend were creating a platform which aims to provide cybersecurity and web development content. Currently, our platform have account takeover labs(Based on Real World Scenario) so if you are a beginner and want to improve your bug bounty and cybersecurity skills then go ahead and check out our website(All the labs are free of cost). Also, Let me know which bug do you find most difficult to learn!
Why find Hidden Parameters?
Well, The answer is simple: To get more bugs! Let me tell you one of the stories of my findings. So I was hunting on a private program and was frustrated because i wasn’t able to find a single bug with potential impact for almost 3 straight days! It was very frustrating moment for me that’s when i decided to change me methodology a bit. Then I started learning about more and more new stuffs and eventually came to know about finding hidden parameters. I thought “Okay, I think I should give it a try”. And then i found a hidden parameter “menuid” which was vulnerable to XSS! Now there are two main reason why i was able to find that particular xss vulnerability:
- Since the parameter was not visible to all of the hackers, It was left unnoticed by most of them.
- The execution of xss was not very simple. I actually had to brainstorm for 1 hour to find the particular payload.
From here, you can conclude why finding hidden parameter is a win-win situation for you as it can lead to potential vulnerabilities.
Let us take another example. Suppose there is a web application that have the following endpoint:
https://example.com/user/dashboard.jsp?isUser=1
this endpoint basically allows the users to access their dashboard as a normal user. What if there is some other parameters that are also being used like isAdmin or something. For example,
https://example.com/user/dashboard.jsp?isAdmin=1
See? It may allow the user to get admin privileges right? This the reason why finding a hidden parameter can be a huge win for you. Now that we’ve understood why finding parameter is important, Let us discuss how to find them.
HOW TO FIND HIDDEN PARAMETERS?
To find hidden parameters, we can use multiple tools like ParamSpider, Arjun, ParamMiner etc. In this article, we are going to use the tool “Arjun”
Let us install this tool on our Kali Linux machine.
sudo apt install arjun -y
Now that we have arjun installed in our machine, Let us see the features that this tool has to offer
arjun -h
As you can see, there are many features present in the tools. Some of the important ones are:
- -m => Method (GET,POST,PUT)
- -w => For custom wordlist
- — passive => Collect params apart from wordlist(wayback, commoncrawl etc)
- -t => Increase total number of threads(To increase the processing speed of the tool)
- -u => To Specify the URL
Let us try to use this tool from the above information on http://testphp.vulnweb.com/artists.php
arjun -u http://testphp.vulnweb.com/artists.php -m GET
As we can see, We got 3 parameters from arjun! Now we can test these parameters for further vulnerabilities.
If you are curious, then feel free to check out this video of mine where I've used arjun find cross site scripting on live website
CONCLUSION
I hope you all have understood how we can find hidden parameters in a web application. Feel free to ask your doubts in the comment section and don’t forget to visit BePractical if you want to learn more about cybersecurity and bug bounty.
Join our telegram channel over here
