The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss.

Last update: Nov 14, 2022

Overview

Hidden parameters discovery suite wrapper

The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss. Greater accuracy is achieved thanks to the line-by-line comparison of pages, comparison of response code and reflections.

Features

Selecting multiple requests from the Proxy or Repeater tab.
Each selected request is executed in a separate thread.
Automatic Issue creation when hidden parameter is found.
HTTP/2 Support.
Requests with detected parameters are visible in the Proxy tab.
Issue is added with severity Information when WAF is detected.
Automatic detection of injection point. If the request body exists, then parameters in URL-Query are ignored.
Custom injectin point can be defined using %s or &%s

Usage

There are four search choices available:
- Small Wordlist (Recommended, 25000 words, 5 threads)
- Large Wordlist (63000 words, 15 threads)
- x8083 - all request will be proxied via port 8083 (for example, you can configure the port in Burp)
- Debug Params - the minimum number of requests to detect only debug parameters and parameters based on response

Test

Feel free to check whether the tool works as expected and compare it with other tools at https://4rt.one/. There are 2 reflected parameters, 4 parameters that change code/headers/body, and one extra parameter with a not random value.

Detected parameters

Acknowledgement

Thanks to Sh1Yo for the wonderful x8 utility. He added special functions into it so that we could write this wrapper. We also spotted some bugs, specifically in HTTP/2, for Burp Suite compatibility. To examine and understand the project in detail, or if you need a command line version, click here.

Follow-up plan

Implementation of a panel for configuring custom proxy
Windows version
Implementation of a choice - 25000 words, 1 thread
Adding to BApp Store

Video

Installation

You need to configure Jython Standalone path in Burp Suite Extender options.
As this is a wrapper, a precompiled binary is used.

Linux

from releases

Burp -> Extender -> ./x8-Burp/linux_x8.py

Windows
- from releases
```
Burp -> Extender -> ./x8-Burp/win_x8.py
```

Extended functionality for Namebase past their web UI

Namebase Extended Extended functionality for Namebase past their web UI.

12 Sep 2, 2022

This repo contains scripts that add functionality to xbar.

xbar-custom-plugins This repo contains scripts that add functionality to xbar. Usage You have to add scripts to xbar plugin folder. If you don't find

1 Jan 10, 2022

This tool helps you to reverse any regex and gives you the opposite/allowed Letters,numerics and symbols.

Regex-Reverser This tool helps you to reverse any regex and gives you the opposite/allowed Letters,numerics and symbols. Screenshots Usage/Examples py

0 Jun 2, 2022

Ssma is a tool that helps you collect your badges in a satr platform

satr-statistics-maker ssma is a tool that helps you collect your badges in a satr platform 🎖️ Requirements python = 3.7 Installation first clone the

3 Jan 4, 2022

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

36 Nov 2, 2022

Given tool find related trending keywords of input keyword

blog_generator Given tool find related trending keywords of input keyword (blog_related_to_keyword). Then cretes a mini blog. Currently its customised

2 Nov 30, 2021

PyPI package for scaffolding out code for decision tree models that can learn to find relationships between the attributes of an object.

Decision Tree Writer This package allows you to train a binary classification decision tree on a list of labeled dictionaries or class instances, and

2 Apr 23, 2022

A simple python project that can find Tangkeke in a given image.

A simple python project that can find Tangkeke in a given image. Make the real Tangkeke image as a kernel to convolute the target image. The area wher

1 Dec 8, 2021

scap is a tool for putting code in places and for other purposes

Scap is the deployment script used by Wikimedia Foundation to publish code and configuration on production web servers.

7 Nov 2, 2022

Comments

Multiple Attacks on different targets/end points

hey , first of all thanks for the amazing tool.. it looks good and works fantastic. I have tested it when I run multiple tests it sometimes skip the first one.

so do we have to wait until the small/large wordlist completes on one end point ? or can we run x8 on multiple targets/endpoints at same time ?

Thank you

opened by newfolderj 4

The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss.

Related tags

Overview

Hidden parameters discovery suite wrapper

Features

Usage

Test

Detected parameters

Acknowledgement

Follow-up plan

Video

Installation

You might also like...

Extended functionality for Namebase past their web UI

This repo contains scripts that add functionality to xbar.

This tool helps you to reverse any regex and gives you the opposite/allowed Letters,numerics and symbols.

Ssma is a tool that helps you collect your badges in a satr platform

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

Given tool find related trending keywords of input keyword

PyPI package for scaffolding out code for decision tree models that can learn to find relationships between the attributes of an object.

A simple python project that can find Tangkeke in a given image.

scap is a tool for putting code in places and for other purposes

Comments

Multiple Attacks on different targets/end points

Releases(v0.1.2)

v0.1.2(Jul 21, 2021)

v0.1.1(Jul 20, 2021)

v0.1.0(Jul 18, 2021)

Owner

The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss.

This repo holds custom callback plugin, so your Ansible could write everything in the PostgreSQL database.

oracle arm registration script.

30DaysOfCode-PhoenixClub - Solution of everyday coding problem given in 30DaysofCode contest held on Hackerrank

Generates Windows 95 and 95 OEM keys using the modulus 7 check algorithm

Unified Distributed Execution

Este projeto se trata de uma análise de campanhas de marketing de uma empresa que vende acessórios para veículos.

JupyterLite as a Datasette plugin

What Do Deep Nets Learn? Class-wise Patterns Revealed in the Input Space

Repositório do programa ConstruDelas - Trilha Python - Módulos 1 e 2

Python tools for working with Orbit Ephemeris Messages (OEMs).

An implementation to rank your favourite songs from World of Walker

Irrigation Component V4 providing support for a custom card

Python library for creating PEG parsers

Yet another Python Implementation of the Elo rating system.

Bootstraparse is a personal project started with a specific goal in mind: creating static html pages for direct display from a markdown-like file

Tool for running a high throughput data ingestion/transformation workload with MongoDB

Yakuake session management

原神抽卡记录导出

A compilation of useful scripts to automate common tasks