The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss.

Last update: Nov 14, 2022

Overview

Hidden parameters discovery suite wrapper

The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss. Greater accuracy is achieved thanks to the line-by-line comparison of pages, comparison of response code and reflections.

Features

Selecting multiple requests from the Proxy or Repeater tab.
Each selected request is executed in a separate thread.
Automatic Issue creation when hidden parameter is found.
HTTP/2 Support.
Requests with detected parameters are visible in the Proxy tab.
Issue is added with severity Information when WAF is detected.
Automatic detection of injection point. If the request body exists, then parameters in URL-Query are ignored.
Custom injectin point can be defined using %s or &%s

Usage

There are four search choices available:
- Small Wordlist (Recommended, 25000 words, 5 threads)
- Large Wordlist (63000 words, 15 threads)
- x8083 - all request will be proxied via port 8083 (for example, you can configure the port in Burp)
- Debug Params - the minimum number of requests to detect only debug parameters and parameters based on response

Test

Feel free to check whether the tool works as expected and compare it with other tools at https://4rt.one/. There are 2 reflected parameters, 4 parameters that change code/headers/body, and one extra parameter with a not random value.

Detected parameters

Acknowledgement

Thanks to Sh1Yo for the wonderful x8 utility. He added special functions into it so that we could write this wrapper. We also spotted some bugs, specifically in HTTP/2, for Burp Suite compatibility. To examine and understand the project in detail, or if you need a command line version, click here.

Follow-up plan

Implementation of a panel for configuring custom proxy
Windows version
Implementation of a choice - 25000 words, 1 thread
Adding to BApp Store

Video

Installation

You need to configure Jython Standalone path in Burp Suite Extender options.
As this is a wrapper, a precompiled binary is used.

Linux

from releases

Burp -> Extender -> ./x8-Burp/linux_x8.py

Windows
- from releases
```
Burp -> Extender -> ./x8-Burp/win_x8.py
```

Extended functionality for Namebase past their web UI

Namebase Extended Extended functionality for Namebase past their web UI.

12 Sep 2, 2022

This repo contains scripts that add functionality to xbar.

xbar-custom-plugins This repo contains scripts that add functionality to xbar. Usage You have to add scripts to xbar plugin folder. If you don't find

1 Jan 10, 2022

This tool helps you to reverse any regex and gives you the opposite/allowed Letters,numerics and symbols.

Regex-Reverser This tool helps you to reverse any regex and gives you the opposite/allowed Letters,numerics and symbols. Screenshots Usage/Examples py

0 Jun 2, 2022

Ssma is a tool that helps you collect your badges in a satr platform

satr-statistics-maker ssma is a tool that helps you collect your badges in a satr platform 🎖️ Requirements python = 3.7 Installation first clone the

3 Jan 4, 2022

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

36 Nov 2, 2022

Given tool find related trending keywords of input keyword

blog_generator Given tool find related trending keywords of input keyword (blog_related_to_keyword). Then cretes a mini blog. Currently its customised

2 Nov 30, 2021

PyPI package for scaffolding out code for decision tree models that can learn to find relationships between the attributes of an object.

Decision Tree Writer This package allows you to train a binary classification decision tree on a list of labeled dictionaries or class instances, and

2 Apr 23, 2022

A simple python project that can find Tangkeke in a given image.

A simple python project that can find Tangkeke in a given image. Make the real Tangkeke image as a kernel to convolute the target image. The area wher

1 Dec 8, 2021

scap is a tool for putting code in places and for other purposes

Scap is the deployment script used by Wikimedia Foundation to publish code and configuration on production web servers.

7 Nov 2, 2022

Comments

Multiple Attacks on different targets/end points

hey , first of all thanks for the amazing tool.. it looks good and works fantastic. I have tested it when I run multiple tests it sometimes skip the first one.

so do we have to wait until the small/large wordlist completes on one end point ? or can we run x8 on multiple targets/endpoints at same time ?

Thank you

opened by newfolderj 4

The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss.

Related tags

Overview

Hidden parameters discovery suite wrapper

Features

Usage

Test

Detected parameters

Acknowledgement

Follow-up plan

Video

Installation

You might also like...

Extended functionality for Namebase past their web UI

This repo contains scripts that add functionality to xbar.

This tool helps you to reverse any regex and gives you the opposite/allowed Letters,numerics and symbols.

Ssma is a tool that helps you collect your badges in a satr platform

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

Given tool find related trending keywords of input keyword

PyPI package for scaffolding out code for decision tree models that can learn to find relationships between the attributes of an object.

A simple python project that can find Tangkeke in a given image.

scap is a tool for putting code in places and for other purposes

Comments

Multiple Attacks on different targets/end points

Releases(v0.1.2)

v0.1.2(Jul 21, 2021)

v0.1.1(Jul 20, 2021)

v0.1.0(Jul 18, 2021)

Owner

Security-related flags and options for C compilers

Takes output from RedLime's SpeedRunIGT mod (igt_timer.log) to get the top run retime as per the rules in speedrun.com/mc as well as generating a new file which is a copy of igt_timer.log which specifies what type of pause each one was.

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

Performance data for WASM SIMD instructions.

E5自动续期

Unofficial package for fetching users information based on National ID Number (Tanzania)

Mengzhan (John) code for Closed Loop Control system of Sharp Wave Ripples in Hippocampus CA3 region

Voldemort's Python import helper

Design-by-contract in Python3 with informative violation messages and inheritance

Rock 💎 Paper 📝 Scissors ✂️ Lizard 🦎 Spock 🖖

A simple script that shows important photography times. written in python.

Oppia is an online learning tool that enables anyone to easily create and share interactive activities

The most widely used Python to C compiler

Python language from the beginning.

pyForgeCert is a Python equivalent of the original ForgeCert written in C#.

Just a little benchmark for scrapper PC's

PyCASCLib: CASC interface for Warcraft III

In this project we will implement AirBnB clone using console

A Python Based Utility for Processing GST-Return JSON Files to Multiple Formats

Python script for changing the SSH banner content with other content