قالب وردپرس درنا توس
Home / Tips and Tricks / How to detect hidden HTTP parameters to find web app weaknesses «Null Byte :: WonderHowTo

How to detect hidden HTTP parameters to find web app weaknesses «Null Byte :: WonderHowTo



Hacking web applications can sometimes be challenging due to the large amount of moving parts they possess. At the core of these apps are HTTP requests and parameters, but these things are often hidden from the user for security reasons, convenience or both. However, a tool called Arjun can be used to detect hidden HTTP parameters in web apps.

HTTP parameters, sometimes called query strings, are the part of a URL that takes user input and forwards it to the web app. A typical example will look like:

  http://example.com/name?id=1 

When the server receives the request, it will process the query and return a name with the ID. For example, in web forms, several fields will be submitted as the query string. It usually looks like this:

  http://example.com/form?field1
=v1&field2=v2

In some cases, some of these parameters may be hidden from view. For example, if a hidden parameter from admin was set to True there may be another functionality than for a regular user.

Arjun is a command-line tool that finds hidden HTTP parameters with a glossary of parameter names. It has multiple threads, speed limit management and allows you to add custom headers to requests. It also supports GET, POST and JSON methods, making it a valuable resource for searching web applications.

Download and install

We will use Metasploitable 2 as a target and Kali Linux as our local machine, but you can use what you are comfortable with when you come along.

The first thing we need to do is download Arjun from GitHub. We can easily clone a copy of the repository with the command git clone :

  ~ # git clone https://github.com/s0md3v/Arjun

Cloning to & # 39; Arjun & # 39; ...
remote control: List items: 226, ready.
remote control: Total 226 (delta 0), recycled 0 (delta 0), reused 226
Receiving items: 100% (226/226), 159.03 KiB | 1024.00 KiB / s, clear.
Loose deltas: 100% (104/104), done. 

Now you just switch to the new directory with cd :

  ~ # cd Arjun / 

And we can list the contents with the command ls :

  ~ / Arjun # ls

arjun.py CHANGELOG.md core db LICENSE README.md 

Arjun needs Python version 3.4 or higher to work properly, and we can see if it is installed on our system with the command as : [19659003] ~ / Arjun # which python3

/ usr / bin / python3

And we can check the version number with the switch -V :

  ~ / Arjun # python3 -V

Python 3.7.5rc1 

If Python 3.4 or higher is not in our system, we can install it through the package manager:

  ~ / Arjun # apt-get install python3 

That should be all we need to get started.

Arjun in Action

It is always a good idea to check the help menu when confronted with a new tool. Use the -h flag to view Arjun's help and optional arguments:

  ~ / Arjun # python3 arjun.py -h
_
/ _ | _ & # 39;
(| /// (//) v1.6
_ /

use: arjun.py [-h] [-u URL] [-o OUTPUT_FILE] [-d DELAY] [-t THREADS]
                [-f WORDLIST] [--urls URL_FILE] [--get] [--post]
                [--headers [HEADERS]] [--json] [--stable] [--include INCLUDE]

  optional arguments:
-h, --help show this help message and exit
-u URL
-o OUTPUT_FILE path for the output file
-d DELAY delay
-t THREADS number of threads
-f WORDLIST dictionary path
--URL URL_FILE file containing landing pages
- use used method
- post using the post method
- headers [HEADERS] add headers
--json treat mail data like json
- Stable prefers stability over speed
- Include INCLUDE include this data in each request 

The most basic way to run the tool is by entering a valid URL – use the -u flag to do so:

  ~ / Arjun # python3 arjun.py -u http://10.10.0.50/phpMyAdmin/
_
/ _ | _ & # 39;
(| /// (//) v1.6
_ /

[~] Analyze the content of the web page
[~] Analyze behavior for a non-existent parameter
[!] Reflections: 0
[!] Response code: 200
[!] Content Length: 4145
[!] Plain text Length: 474
[~] Pairing web page for potential parameters
[+] Heuristic found a potential post parameter: phpMyAdmin
[!] Prioritize it
[+] Heuristic found a potential post-parameter: db
[!] Prioritize it
[+] Heuristic found a potential post-parameter: table
[!] Prioritize it
[+] Heuristic found a potential post parameter: long
[!] Prioritize it
[+] Heuristic found a potential post parameter: convcharset
[!] Prioritize it
[+] Heuristic found a potential mail parameter: token
[!] Prioritize it
[+] Heuristic found a potential post parameter: pma_username
[!] Prioritize it
[+] Heuristic found a potential mail parameter: pma_password
[!] Prioritize it
[+] Heuristic found a potential mail parameter: server
[!] Prioritize it
[~] Perform heuristic level checks
[!] Scanning completed
[+] Valid parameter found: db
[+] Valid parameter found: phpMyAdmin
[+] Valid parameter found: table
[+] Valid parameter found: target
[+] Valid parameter found: GLOBALS
[+] Valid parameter found: pma_username 

We can see that it starts parsing the page and looks for any HTTP parameters that may be hidden. It finds some valid and gives us the results at the bottom.

We can also specify the type of request data to use. For example, to search for GET parameters, just add – get the option :

  ~ / Arjun # python3 arjun.py -u http://10.10.0.50/phpMyAdmin/ --get
_
/ _ | _ & # 39;
(| /// (//) v1.6
_ /

[~] Analyze the content of the web page
[~] Analyze behavior for a non-existent parameter
[!] Reflections: 0
[!] Response code: 200
[!] Content Length: 4145
[!] Plain text Length: 474
[~] Pairing web page for potential parameters

... 

To search for POST parameters, use the option – record :

  ~ / Arjun # python3 arjun.py -u http://10.10.0.50/phpMyAdmin/ - post
_
/ _ | _ & # 39;
(| /// (//) v1.6
_ /

[~] Analyze the content of the web page
[~] Analyze behavior for a non-existent parameter
[!] Reflections: 0
[!] Response code: 200
[!] Content Length: 4145
[!] Plain text Length: 474
[~] Pairing web page for potential parameters

... 

And to search for JSON parameters, use the option – json :

  ~ / Arjun # python3 arjun.py -u http://10.10.0.50/phpMyAdmin/ - -json
_
/ _ | _ & # 39;
(| /// (//) v1.6
_ /

[~] Analyze the content of the web page
[~] Analyze behavior for a non-existent parameter
[!] Reflections: 0
[!] Response code: 200
[!] Content Length: 4145
[!] Plain text Length: 474
[~] Pairing web page for potential parameters

... 

We can also provide Arjun with a list of multiple URLs to be used instead of just one. Use the flag – urls followed by the name of the file containing the list of URLs:

  ~ / Arjun # python3 arjun.py - urls urls.txt
_
/ _ | _ & # 39;
(| /// (//) v1.6
_ /

[~] Scanning: http://10.10.0.50/phpMyAdmin/
[~] Analyze the content of the web page
[~] Analyze behavior for a non-existent parameter
[!] Reflections: 0
[!] Response code: 200
[!] Content Length: 4145
[!] Plain text Length: 474
[~] Pairing web page for potential parameters

... 

Similarly, we can use our own dictionary containing custom parameter names instead of the standard used by Arjun. Use the flag -f followed by the name of the custom dictionary:

  ~ / Arjun # python3 arjun.py -u http://10.10.0.50/phpMyAdmin/ -f parameters.txt
_
/ _ | _ & # 39;
(| /// (//) v1.6
_ /

[~] Analyze the content of the web page
[~] Analyze behavior for a non-existent parameter
[!] Reflections: 0
[!] Response code: 200
[!] Content Length: 4145
[!] Plain text Length: 474
[~] Pairing web page for potential parameters

... 

Arjun allows us to set the number of threads to be used as well, by default there are two. Use the switch -t followed by the number of wires you want:

  ~ / Arjun # python3 arjun.py -u http://10.10.0.50/phpMyAdmin/ -t 16
_
/ _ | _ & # 39;
(| /// (//) v1.6
_ /

[~] Analyze the content of the web page
[~] Analyze behavior for a non-existent parameter
[!] Reflections: 0
[!] Response code: 200
[!] Content Length: 4145
[!] Plain text Length: 474
[~] Pairing web page for potential parameters

... 

We can also set the delay between requests with the flag -d :

  ~ / Arjun # python3 arjun.py -u http://10.10.0.50/phpMyAdmin/ - d 5
_
/ _ | _ & # 39;
(| /// (//) v1.6
_ /

[~] Analyze the content of the web page
[~] Analyze behavior for a non-existent parameter
[!] Reflections: 0
[!] Response code: 200
[!] Content Length: 4145
[!] Plain text Length: 474
[~] Pairing web page for potential parameters

... 

For particularly tricky targets we can use the option – stable which sets the number of threads to 1 and the delay to a random number of seconds between 6 and 12: [19659003] ~ / Arjun # python3 arjun. py -u http://10.10.0.50/phpMyAdmin/ – stable
_
/ _ | _ & # 39;
(| /// (//) v1.6
_ /

[~] Analyze the content of the web page
[~] Analyze behavior for a non-existent parameter
[!] Reflections: 0
[!] Response code: 200
[!] Content Length: 4145
[!] Plain text Length: 474
[~] Pairing web page for potential parameters

Arjun makes it easy to save the results in JSON format – just use the switch -o followed by the name of the output file:

  ~ / Arjun # python3 arjun.py -u http: //10.10.0.50/phpMyAdmin/ -o results.json
_
/ _ | _ & # 39;
(| /// (//) v1.6
_ /

[~] Analyze the content of the web page
[~] Analyze behavior for a non-existent parameter
[!] Reflections: 0
[!] Response code: 200
[!] Content Length: 4145
[!] Plain text Length: 474
[~] Pairing web page for potential parameters
[+] Heuristic found a potential post parameter: phpMyAdmin
[!] Prioritize it
[+] Heuristic found a potential post-parameter: db
[!] Prioritize it
[+] Heuristic found a potential post-parameter: table
[!] Prioritize it
[+] Heuristic found a potential post parameter: long
[!] Prioritize it
[+] Heuristic found a potential post parameter: convcharset
[!] Prioritize it
[+] Heuristic found a potential mail parameter: token
[!] Prioritize it
[+] Heuristic found a potential post parameter: pma_username
[!] Prioritize it
[+] Heuristic found a potential mail parameter: pma_password
[!] Prioritize it
[+] Heuristic found a potential mail parameter: server
[!] Prioritize it
[~] Perform heuristic level checks
[!] Scanning completed
[+] Valid parameter found: GLOBALS
[+] Valid parameter found: db
[+] Valid parameter found: phpMyAdmin
[+] Valid parameter found: table
[+] Valid parameter found: target
[+] Valid parameter found: pma_username
[!] Save output to JSON file in results.json 

Another handy feature is the ability to include specific data to be sent with each request. Use the option – include with the data string to be sent in quotation:

  ~ / Arjun # python3 arjun.py -u http://10.10.0.50/phpMyAdmin/ --include & # 39; data = test & # 39;
_
/ _ | _ & # 39;
(| /// (//) v1.6
_ /

[~] Analyze the content of the web page
[~] Analyze behavior for a non-existent parameter
[!] Reflections: 0
[!] Response code: 200
[!] Content Length: 4145
[!] Plain text Length: 474
[~] Pairing web page for potential parameters

... 

We can also use the option – headers which allows us to send header information with request:

  ~ / Arjun # python3 arjun.py -u http: / / 10.10.0.50/ phpMyAdmin / - headers 

It will open a text editor (nano by default), so we can paste all headers directly into:

  GNU nano 4.5 / tmp / tmptvwpv4kd
Host: EXAMPLE
Accept: TEST
Refer: https://www.google.com 

The default editor can be changed in /core/prompt.py to any editor.

Wrapping Up

Today we learned a little about HTTP parameters and how they can sometimes be hidden from normal view. Arjun is a tool that can be used to expose these hidden parameters, leading to increased visibility of a web app's attack surface. We explored the tool and some of its options, including the ability to use different query methods, custom threading and delay, persistent request data, and more. Arjun is a nice little tool that anyone who seriously attacks web applications can take advantage of.

Want to start making money as a white hat hacker? Get started on your White-Hat Hacking career with our Premium Premium Ethical Hacking Certification Training Bundle from the new Null Byte store and get over 60 hours of training from Ethical Hacking Professionals.

Buy now (96% discount)>

Cover image of drd_ / Null Byte

Source link