The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss.

Last update: Nov 14, 2022

Overview

Hidden parameters discovery suite wrapper

The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss. Greater accuracy is achieved thanks to the line-by-line comparison of pages, comparison of response code and reflections.

Features

Selecting multiple requests from the Proxy or Repeater tab.
Each selected request is executed in a separate thread.
Automatic Issue creation when hidden parameter is found.
HTTP/2 Support.
Requests with detected parameters are visible in the Proxy tab.
Issue is added with severity Information when WAF is detected.
Automatic detection of injection point. If the request body exists, then parameters in URL-Query are ignored.
Custom injectin point can be defined using %s or &%s

Usage

There are four search choices available:
- Small Wordlist (Recommended, 25000 words, 5 threads)
- Large Wordlist (63000 words, 15 threads)
- x8083 - all request will be proxied via port 8083 (for example, you can configure the port in Burp)
- Debug Params - the minimum number of requests to detect only debug parameters and parameters based on response

Test

Feel free to check whether the tool works as expected and compare it with other tools at https://4rt.one/. There are 2 reflected parameters, 4 parameters that change code/headers/body, and one extra parameter with a not random value.

Detected parameters

Acknowledgement

Thanks to Sh1Yo for the wonderful x8 utility. He added special functions into it so that we could write this wrapper. We also spotted some bugs, specifically in HTTP/2, for Burp Suite compatibility. To examine and understand the project in detail, or if you need a command line version, click here.

Follow-up plan

Implementation of a panel for configuring custom proxy
Windows version
Implementation of a choice - 25000 words, 1 thread
Adding to BApp Store

Video

Installation

You need to configure Jython Standalone path in Burp Suite Extender options.
As this is a wrapper, a precompiled binary is used.

Linux

from releases

Burp -> Extender -> ./x8-Burp/linux_x8.py

Windows
- from releases
```
Burp -> Extender -> ./x8-Burp/win_x8.py
```

Extended functionality for Namebase past their web UI

Namebase Extended Extended functionality for Namebase past their web UI.

12 Sep 2, 2022

This repo contains scripts that add functionality to xbar.

xbar-custom-plugins This repo contains scripts that add functionality to xbar. Usage You have to add scripts to xbar plugin folder. If you don't find

1 Jan 10, 2022

This tool helps you to reverse any regex and gives you the opposite/allowed Letters,numerics and symbols.

Regex-Reverser This tool helps you to reverse any regex and gives you the opposite/allowed Letters,numerics and symbols. Screenshots Usage/Examples py

0 Jun 2, 2022

Ssma is a tool that helps you collect your badges in a satr platform

satr-statistics-maker ssma is a tool that helps you collect your badges in a satr platform 🎖️ Requirements python = 3.7 Installation first clone the

3 Jan 4, 2022

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

36 Nov 2, 2022

Given tool find related trending keywords of input keyword

blog_generator Given tool find related trending keywords of input keyword (blog_related_to_keyword). Then cretes a mini blog. Currently its customised

2 Nov 30, 2021

PyPI package for scaffolding out code for decision tree models that can learn to find relationships between the attributes of an object.

Decision Tree Writer This package allows you to train a binary classification decision tree on a list of labeled dictionaries or class instances, and

2 Apr 23, 2022

A simple python project that can find Tangkeke in a given image.

A simple python project that can find Tangkeke in a given image. Make the real Tangkeke image as a kernel to convolute the target image. The area wher

1 Dec 8, 2021

scap is a tool for putting code in places and for other purposes

Scap is the deployment script used by Wikimedia Foundation to publish code and configuration on production web servers.

7 Nov 2, 2022

Comments

Multiple Attacks on different targets/end points

hey , first of all thanks for the amazing tool.. it looks good and works fantastic. I have tested it when I run multiple tests it sometimes skip the first one.

so do we have to wait until the small/large wordlist completes on one end point ? or can we run x8 on multiple targets/endpoints at same time ?

Thank you

opened by newfolderj 4

The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss.

Related tags

Overview

Hidden parameters discovery suite wrapper

Features

Usage

Test

Detected parameters

Acknowledgement

Follow-up plan

Video

Installation

You might also like...

Extended functionality for Namebase past their web UI

This repo contains scripts that add functionality to xbar.

This tool helps you to reverse any regex and gives you the opposite/allowed Letters,numerics and symbols.

Ssma is a tool that helps you collect your badges in a satr platform

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

Given tool find related trending keywords of input keyword

PyPI package for scaffolding out code for decision tree models that can learn to find relationships between the attributes of an object.

A simple python project that can find Tangkeke in a given image.

scap is a tool for putting code in places and for other purposes

Comments

Multiple Attacks on different targets/end points

Releases(v0.1.2)

v0.1.2(Jul 21, 2021)

v0.1.1(Jul 20, 2021)

v0.1.0(Jul 18, 2021)

Owner

Statistics Calculator module for all types of Stats calculations.

Criando um jogo de naves espaciais com Pygame. Para iniciantes em Python

Creates infinite amount of guilded accounts in seconds.

Edorado93 - Unraveling a Rockstar! -- Too much? Fine, Unraveling a humble programmer then?

Performance data for WASM SIMD instructions.

🌌A Python library to exhaustively enumerate a combinatorial space represented by a function

A command-line utility that creates projects from cookiecutters (project templates), e.g. Python package projects, VueJS projects.

Streamlit component to display topics from Streamlit's community forum related to any exception.

Python communism - A module for initiating the communist revolution in each of our python modules

This is the code of Python enthusiasts collection and written.

This repository contains Python Projects for Beginners as well as for Intermediate Developers built by Contributors.

A discord group chat creator just made it because i saw people selling this stuff for like up to 40 bucks

inverted pendulum fuzzy control python code (python 2.7.18)

Openfe - Alchemical free energy calculations for the masses

An awesome script to convert the University Of Oviedo web calendar to Google or Outlook calendars.

A simple program to recolour simple png icon-like pictures with just one colour + transparent or white background. Resulting images all have transparent background and a new colour.

Back-end API for the reternal framework

Script that creates graphical representations of Julia an Mandelbrot sets.

Tugas kelompok Struktur Data

A simple project which is a ecm to found a good way to provide a path to img_dir in gooey