_ _ _ _ _ _ _
/ \ / \ / \ / \ / \ / \ / \
( A | r | j | u | n | _ | > )
\_/ \_/ \_/ \_/ \_/ \_/ \_/
|
+--> [?] id=...
+--> [?] debug=true
+--> [?] admin=...
+--> [?] user_id=...
Core Function: Arjun is an HTTP parameter discovery suite designed to find valid query parameters for URL endpoints, including those that are not immediately obvious or linked within the application's front end.
Primary Use-Cases:
Hidden Functionality Discovery: Uncovering administrative or debug parameters that expose sensitive features.
Vulnerability Identification: Finding parameters that may be vulnerable to attacks like SQL Injection, Cross-Site Scripting (XSS), or Insecure Direct Object References (IDOR).
API Endpoint Analysis: Mapping the full attack surface of an API by identifying all accepted input parameters.
Web Application Footprinting: Gaining a deeper understanding of an application's backend logic and data handling.
Penetration Testing Phase: Information Gathering & Configuration Management Testing.
Brief History: Arjun was developed by s0md3v to automate the tedious and often-overlooked task of parameter brute-forcing. It employs a highly efficient method to test a large dictionary of parameter names with a minimal number of requests, making it a staple in modern web application security testing toolkits.
Before deployment, an operator must verify that the tool is correctly installed and accessible. These initial steps ensure that the operational environment is ready for a full engagement.
This command checks the package manager's database to see if Arjun is installed and provides details about the available version.
Command:
Bash
apt show arjun
Ethical Context & Use-Case: This is a preliminary reconnaissance step on your own testing machine. Before running any tool, it's crucial to confirm its presence and version to ensure you are using the intended software and to understand its dependencies and installed size.
--> Expected Output:
Package: arjun Version: 2.2.7 Priority: optional Section: net Maintainer: s0md3v <s0md3v@gmail.com> Installed-Size: 348 kB Depends: python3, python3:any Homepage: https://github.com/s0md3v/Arjun Download-Size: 66.8 kB APT-Sources: http://http.kali.org/kali kali-rolling/main amd64 Packages Description: HTTP parameter discovery suite Arjun can find query parameters for URL endpoints. Web applications use parameters (or queries) to accept user input, take the following example into consideration. http://api.example.com/v1/userinfo?id=751634589 This URL seems to load user information for a specific user id, but what if there exists a parameter named admin which when set to True makes the endpoint provide more information about the user? This is what Arjun does, it finds valid HTTP parameters with a huge default dictionary of 25,890 parameter names.
This command uses the Advanced Package Tool (APT) with superuser privileges to download and install Arjun from the configured repositories.
Command:
Bash
sudo apt install arjun
Ethical Context & Use-Case: This is the standard procedure for provisioning your authorized testing environment. Ensuring your toolkit is properly installed is a fundamental aspect of professional penetration testing operations. You must have administrative rights on your machine to perform this action.
--> Expected Output:
Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: arjun 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 66.8 kB of archives. After this operation, 348 kB of additional disk space will be used. Get:1 http://http.kali.org/kali kali-rolling/main amd64 arjun all 2.2.7 [66.8 kB] Fetched 66.8 kB in 1s (88.9 kB/s) Selecting previously unselected package arjun. (Reading database ... 312543 files and directories currently installed.) Preparing to unpack .../arjun_2.2.7_all.deb ... Unpacking arjun (2.2.7) ... Setting up arjun (2.2.7) ...
This command invokes Arjun with the help flag, which provides a comprehensive list of all available options, flags, and their descriptions.
Command:
Bash
arjun -h
Ethical Context & Use-Case: Viewing the help menu is the most critical first step when learning a new tool. It provides a complete tactical overview of the tool's capabilities, syntax, and default settings. This should always be done before targeting any system, even one you have permission to test, to ensure you understand the full impact of the commands you will execute.
--> Expected Output:
usage: arjun [-h] [-u URL] [-o JSON_FILE] [-oT TEXT_FILE] [-oB [BURP_PROXY]]
[-d DELAY] [-t THREADS] [-w WORDLIST] [-m METHOD]
[--import [IMPORT_FILE]] [-T TIMEOUT] [-c CHUNKS] [-q]
[--rate-limit RATE_LIMIT] [--headers [HEADERS]]
[--passive [PASSIVE]] [--stable] [--include INCLUDE]
[--disable-redirects] [--casing CASING]
options:
-h, --help show this help message and exit
-u URL Target URL
-oJ JSON_FILE, --output-json JSON_FILE
Path for json output file.
-oT TEXT_FILE, --output-text TEXT_FILE
Path for text output file.
-oB [BURP_PROXY], --output-burp [BURP_PROXY]
Output to Burp Suite Proxy. Default is 127.0.0.1:8080.
-d DELAY, --delay DELAY
Delay between requests in seconds. (default: 0)
-t THREADS, --threads THREADS
Number of concurrent threads. (default: 5)
-w WORDLIST, --wordlist WORDLIST
Wordlist file path. (default: {arjundir}/db/large.txt)
-m METHOD, --method METHOD
Request method to use: GET/POST/XML/JSON. (default: GET)
-i [IMPORT_FILE], --import [IMPORT_FILE]
Import target URLs from file.
-T TIMEOUT, --timeout TIMEOUT
HTTP request timeout in seconds. (default: 15)
-c CHUNKS, --chunks CHUNKS
Chunk size. The number of parameters to be sent at
once
-q, --quiet Quiet mode. No output.
--rate-limit RATE_LIMIT
Max number of requests to be sent out per second
(default: 9999)
--headers [HEADERS] Add headers. Separate multiple headers with a new
line.
--passive [PASSIVE] Collect parameter names from passive sources like
wayback, commoncrawl and otx.
--stable Prefer stability over speed.
--include INCLUDE Include this data in every request.
--disable-redirects disable redirects
--casing CASING casing style for params e.g. like_this, likeThis,
likethis
The following section details the operational use of Arjun, from basic scans to advanced, customized discovery techniques. Each example is presented with a clear objective and context for ethical application. All tests must be conducted on systems you own or have explicit, written permission to assess.
Objective 1: Basic GET Parameter Discovery Command:
Bash
arjun -u "http://testphp.vulnweb.com/listproducts.php?cat=1"
Command Breakdown:
arjun: The executable binary.
-u "http://testphp.vulnweb.com/listproducts.php?cat=1": Specifies the target URL. Arjun will use this endpoint to test for additional parameters.
Ethical Context & Use-Case: This is the most fundamental command. A penetration tester would use this to probe an endpoint that is already known to accept at least one parameter (cat). The goal is to discover if other, unlinked parameters (e.g., debug, show_all, user_id) exist that might alter the page's response or behavior.
--> Expected Output:
[*] Arjun v2.2.7 starting
[*] Probing the target for stability
[*] Target is stable
[*] Scanning http://testphp.vulnweb.com/listproducts.php?cat=1
[*] Polling 25890 parameters
...
[*] Found 3 parameters
[+] cat
[+] artist
[+] album
[*] Scan completed in 8.32 seconds
[*] Results:
{
"http://testphp.vulnweb.com/listproducts.php": {
"method": "GET",
"params": [
"cat",
"artist",
"album"
],
"params_GET": [
"cat",
"artist",
"album"
],
"params_POST": []
}
}
Objective 2: Basic POST Parameter Discovery Command:
Bash
arjun -u "http://testphp.vulnweb.com/login.php" -m POST
Command Breakdown:
-u "http://testphp.vulnweb.com/login.php": Specifies the target URL, typically a form submission endpoint.
-m POST: Sets the HTTP request method to POST.
Ethical Context & Use-Case: Many sensitive actions, like logins or data submissions, use the POST method. This command is used to find undocumented parameters on these endpoints. For example, a developer might have left a debug_mode or bypass_auth parameter that is not present in the visible HTML form.
--> Expected Output:
[*] Arjun v2.2.7 starting
[*] Probing the target for stability
[*] Target is stable
[*] Scanning http://testphp.vulnweb.com/login.php
[*] Polling 25890 parameters
...
[*] Found 2 parameters
[+] uname
[+] pass
[*] Scan completed in 7.91 seconds
[*] Results:
{
"http://testphp.vulnweb.com/login.php": {
"method": "POST",
"params": [
"uname",
"pass"
],
"params_GET": [],
"params_POST": [
"uname",
"pass"
]
}
}
Objective 3: Scanning with JSON POST Data Command:
Bash
arjun -u "https://api.authorized-testing.com/v1/user/create" -m JSON
Command Breakdown:
-u "https://api.authorized-testing.com/v1/user/create": Specifies the target API endpoint.
-m JSON: Sets the method to POST and the Content-Type header to application/json.
Ethical Context & Use-Case: Modern web applications, especially those with front-end frameworks like React or Angular, heavily rely on JSON-based APIs. This command is crucial for testing these endpoints to discover hidden parameters like isAdmin, role, or plan_type that could lead to privilege escalation if manipulated.
--> Expected Output:
[*] Arjun v2.2.7 starting
[*] Probing the target for stability
[*] Target is stable
[*] Scanning https://api.authorized-testing.com/v1/user/create
[*] Polling 25890 parameters
...
[*] Found 4 parameters
[+] username
[+] password
[+] email
[+] isAdmin
[*] Scan completed in 11.04 seconds
[*] Results:
{
"https://api.authorized-testing.com/v1/user/create": {
"method": "JSON",
"params": [
"username",
"password",
"email",
"isAdmin"
],
"params_GET": [],
"params_POST": [
"username",
"password",
"email",
"isAdmin"
]
}
}
Objective 4: Saving Results to a JSON File Command:
Bash
arjun -u "http://testphp.vulnweb.com/search.php" -oJ results.json
Command Breakdown:
-u "http://testphp.vulnweb.com/search.php": The target URL.
-oJ results.json: Specifies the output file (results.json) to store the findings in JSON format.
Ethical Context & Use-Case: For any professional engagement, meticulous documentation is key. Saving results to a machine-readable format like JSON allows for easy integration with other tools, automated report generation, and archival of findings. It's a fundamental practice for maintaining a clear audit trail of the penetration test.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning http://testphp.vulnweb.com/search.php [*] Polling 25890 parameters ... [*] Found 2 parameters [+] searchFor [+] goButton [*] Scan completed in 6.45 seconds [*] Results have been saved to results.json
Objective 5: Saving Results to a Text File Command:
Bash
arjun -u "http://testphp.vulnweb.com/guestbook.php" -oT results.txt
Command Breakdown:
-u "http://testphp.vulnweb.com/guestbook.php": The target URL.
-oT results.txt: Specifies the output file (results.txt) to store the findings in a simple text format.
Ethical Context & Use-Case: Sometimes, a simple, human-readable format is all that's needed for a quick review or for pasting into a report. The text output provides a clean list of discovered parameters without the structural overhead of JSON.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning http://testphp.vulnweb.com/guestbook.php [*] Polling 25890 parameters ... [*] Found 3 parameters [+] name [+] message [+] submit [*] Scan completed in 7.12 seconds [*] Results have been saved to results.txt
Objective 6: Increasing Thread Count for Faster Scans Command:
Bash
arjun -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -t 20
Command Breakdown:
-t 20: Sets the number of concurrent threads to 20 (default is 5).
Ethical Context & Use-Case: During a time-boxed assessment, efficiency is crucial. Increasing the thread count can significantly speed up the discovery process. However, this must be done with caution. An excessive number of threads can overwhelm a fragile server, leading to a Denial-of-Service (DoS) condition. It is vital to understand the target's capacity before increasing concurrency.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning http://testphp.vulnweb.com/listproducts.php?cat=1 [*] Polling 25890 parameters ... [*] Found 3 parameters [+] cat [+] artist [+] album [*] Scan completed in 2.15 seconds
Objective 7: Introducing a Delay Between Requests Command:
Bash
arjun -u "https://api.authorized-testing.com/v1/products" -d 1
Command Breakdown:
-d 1: Adds a 1-second delay between each request.
Ethical Context & Use-Case: This is the opposite of increasing threads. When testing sensitive production systems or applications protected by Web Application Firewalls (WAFs) or rate-limiting controls, a slow, deliberate scan is required. Adding a delay helps to avoid detection, prevent overwhelming the server, and bypass simple rate-based blocking mechanisms, making the scan appear more like normal user traffic.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning https://api.authorized-testing.com/v1/products with 1 seconds delay [*] Polling 25890 parameters ... [*] Found 2 parameters [+] id [+] format [*] Scan completed in 36 minutes 14.5 seconds
Objective 8: Setting a Custom Request Timeout Command:
Bash
arjun -u "http://slow-server.authorized-testing.com/api" -T 30
Command Breakdown:
-T 30: Sets the HTTP request timeout to 30 seconds (default is 15).
Ethical Context & Use-Case: When assessing applications hosted on slow networks or servers that have high processing times, the default timeout might be too short, leading to false negatives (missing parameters due to aborted requests). Increasing the timeout ensures that Arjun waits long enough for the server to respond, improving the reliability of the scan results on high-latency targets.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning http://slow-server.authorized-testing.com/api [*] Polling 25890 parameters ... [*] Found 1 parameter [+] query [*] Scan completed in 25.8 seconds
Objective 9: Adjusting Chunk Size Command:
Bash
arjun -u "http://testphp.vulnweb.com/listproducts.php?cat=1" -c 50
Command Breakdown:
-c 50: Sets the chunk size to 50, meaning Arjun will test 50 parameters in a single request.
Ethical Context & Use-Case: Adjusting the chunk size is a key performance tuning technique. A larger chunk size reduces the total number of requests sent, which can speed up scans and reduce network noise. However, some servers or WAFs may have limits on URL length or the number of parameters, so this value may need to be adjusted based on the target's behavior.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning http://testphp.vulnweb.com/listproducts.php?cat=1 [*] Polling 25890 parameters with chunk size 50 ... [*] Found 3 parameters [+] cat [+] artist [+] album [*] Scan completed in 5.77 seconds
Objective 10: Using Stable Mode Command:
Bash
arjun -u "http://flaky-api.authorized-testing.com/search" --stable
Command Breakdown:
--stable: Instructs Arjun to prioritize stability and accuracy over speed.
Ethical Context & Use-Case: When dealing with unstable or unpredictable web applications that may return inconsistent responses, the --stable flag is essential. It forces Arjun to perform more rigorous checks to confirm a parameter's validity, reducing false positives. This is critical for ensuring the integrity of the test results in challenging environments.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning http://flaky-api.authorized-testing.com/search in stable mode [*] Polling 25890 parameters ... [*] Found 1 parameter [+] q [*] Scan completed in 15.41 seconds
Objective 11: Using a Custom Wordlist Command:
Bash
arjun -u "https://api.authorized-testing.com/v1/documents" -w /opt/wordlists/api_params.txt
Command Breakdown:
-w /opt/wordlists/api_params.txt: Specifies a custom wordlist file to use for parameter discovery instead of the default one.
Ethical Context & Use-Case: The default wordlist is comprehensive, but targeted testing often requires context-specific parameter names. A penetration tester might create a custom wordlist based on the application's language (e.g., Spanish parameter names), technology stack (e.g., parameters specific to a certain framework), or information gathered during reconnaissance. This dramatically increases the chances of finding relevant, non-standard parameters.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning https://api.authorized-testing.com/v1/documents [*] Using wordlist from /opt/wordlists/api_params.txt [*] Polling 500 parameters ... [*] Found 3 parameters [+] doc_id [+] version [+] format [*] Scan completed in 1.89 seconds
Objective 12: Adding Custom Headers (e.g., Authorization) Command:
Bash
arjun -u "https://api.authorized-testing.com/v1/user/info" --headers "Authorization: Bearer <JWT_TOKEN>"
Command Breakdown:
--headers "Authorization: Bearer <JWT_TOKEN>": Adds a custom HTTP header to every request sent by Arjun.
Ethical Context & Use-Case: Most modern applications protect endpoints with authentication. To test authenticated functionality, the penetration tester must include the necessary session cookies or authorization tokens in each request. The --headers flag is essential for this, allowing Arjun to scan endpoints that are not publicly accessible. The token used must belong to an account that is authorized for testing.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning https://api.authorized-testing.com/v1/user/info [*] Polling 25890 parameters ... [*] Found 2 parameters [+] id [+] fields [*] Scan completed in 9.21 seconds
Objective 13: Including Static Data in Every Request Command:
Bash
arjun -u "https://api.authorized-testing.com/v1/search" -m POST --include '{"type":"document"}'
Command Breakdown:
-m POST: Sets the method to POST.
--include '{"type":"document"}': Includes the specified JSON string in the body of every POST request.
Ethical Context & Use-Case: Some endpoints require a specific parameter to be present in every request to function correctly (e.g., a csrf_token, form_id, or type specifier). The --include flag ensures this required data is sent along with the parameter brute-forcing attempts, allowing the scan to proceed on endpoints that would otherwise reject the requests.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning https://api.authorized-testing.com/v1/search [*] Polling 25890 parameters ... [*] Found 3 parameters [+] type [+] query [+] page [*] Scan completed in 10.33 seconds
Objective 14: Disabling Redirects Command:
Bash
arjun -u "http://testphp.vulnweb.com/redirect.php" --disable-redirects
Command Breakdown:
--disable-redirects: Prevents Arjun from automatically following HTTP redirects (e.g., 301, 302).
Ethical Context & Use-Case: Sometimes, the interesting behavior is not on the final destination page but in the redirect response itself. For example, a redirect might leak information in its Location header. By disabling redirects, a tester can analyze the initial response from the endpoint, which might be different or more revealing than the page it redirects to.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning http://testphp.vulnweb.com/redirect.php [*] Polling 25890 parameters ... [*] Found 1 parameter [+] url [*] Scan completed in 7.64 seconds
Objective 15: Testing Different Parameter Casing Command:
Bash
arjun -u "https://api.authorized-testing.com/v1/users" --casing likeThis
Command Breakdown:
--casing likeThis: Tests parameters using camelCase (e.g., userId, firstName).
Ethical Context & Use-Case: Application developers follow different coding conventions. Some APIs might use snake_case (user_id), while others use camelCase (userId). By specifying the casing style, the tester can tailor the wordlist to match the target application's likely convention, increasing the efficiency and success rate of the scan. Other options include like_this (snake_case) and likethis (lowercase).
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning https://api.authorized-testing.com/v1/users [*] Polling 25890 parameters ... [*] Found 2 parameters [+] userId [+] userRole [*] Scan completed in 8.55 seconds
Objective 16: Importing Targets from a File Command:
Bash
arjun -i targets.txt -oJ all_results.json
Command Breakdown:
-i targets.txt: Imports a list of URLs from the file targets.txt, scanning each one.
-oJ all_results.json: Saves the combined results from all targets into a single JSON file.
Ethical Context & Use-Case: In a large-scale assessment, it's inefficient to scan URLs one by one. Tools like gau or hakrawler can first be used to discover URLs. These URLs are saved to a file, which is then fed into Arjun for batch processing. This workflow automates the discovery and parameter analysis process for an entire application.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Importing targets from targets.txt [*] Probing the target for stability [*] Target is stable [*] Scanning http://testphp.vulnweb.com/listproducts.php?cat=1 ... [*] Found 3 parameters for http://testphp.vulnweb.com/listproducts.php?cat=1 [*] Scanning http://testphp.vulnweb.com/search.php ... [*] Found 2 parameters for http://testphp.vulnweb.com/search.php [*] Scan completed in 14.28 seconds [*] Results have been saved to all_results.json
Objective 17: Passive Parameter Discovery Command:
Bash
arjun -u "http://testphp.vulnweb.com/" --passive
Command Breakdown:
--passive: Collects parameter names from passive sources like the Wayback Machine, Common Crawl, and OTX without sending brute-force requests.
Ethical Context & Use-Case: Passive reconnaissance is a non-intrusive method of gathering information. This is extremely useful in the initial stages of a test or when dealing with highly sensitive systems where sending a large volume of requests is undesirable. It can reveal historical or legacy parameters that are no longer linked in the current version of the site but may still be active in the backend.
--> Expected Output:
[*] Arjun v2.2.7 starting
[*] Collecting parameters from passive sources for testphp.vulnweb.com
[*] Found 15 parameters from passive sources
[+] cat
[+] artist
[+] album
[+] searchFor
[+] goButton
[+] uname
[+] pass
[+] name
[+] message
[+] submit
[+] id
[+] pic
[+] test
[+] show
[+] new
[*] Scan completed in 4.12 seconds
[*] Results:
{
"http://testphp.vulnweb.com/": {
"method": "GET",
"params_GET": [
"cat",
"artist",
...
],
...
}
}
Objective 18: Sending Results to Burp Suite Command:
Bash
arjun -u "https://api.authorized-testing.com/v1/account" -oB
Command Breakdown:
-oB: Forwards all discovered parameters as requests to the Burp Suite proxy (defaulting to 127.0.0.1:8080).
Ethical Context & Use-Case: Arjun is excellent for discovery, but Burp Suite is the tool of choice for manual inspection and exploitation. This command seamlessly integrates the two. Once Arjun finds a valid parameter, it sends a sample request to Burp. The penetration tester can then send this request to other Burp tools like Repeater (for manual manipulation) or Intruder (for fuzzing) to perform a much deeper security analysis.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning https://api.authorized-testing.com/v1/account [*] Polling 25890 parameters [*] Found 3 parameters. Sending to Burp Suite at 127.0.0.1:8080 [+] account_id [+] verbose [+] transaction_history [*] Scan completed in 12.87 seconds
[VISUAL OUTPUT: The Burp Suite Proxy "HTTP history" tab now shows new entries for https://api.authorized-testing.com/v1/account with the discovered parameters account_id, verbose, and transaction_history populated with dummy values.]
Objective 19: Specifying a Custom Burp Suite Proxy Address Command:
Bash
arjun -u "https://api.authorized-testing.com/v1/account" -oB 127.0.0.1:8081
Command Breakdown:
-oB 127.0.0.1:8081: Forwards all discovered parameters as requests to a Burp Suite proxy listening on a non-default port, 8081.
Ethical Context & Use-Case: Professional penetration testers often run multiple tools or instances of Burp Suite simultaneously. They may configure Burp to listen on different ports to manage traffic from various sources. This command allows the tester to direct Arjun's output to the correct Burp Suite instance for analysis.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning https://api.authorized-testing.com/v1/account [*] Polling 25890 parameters [*] Found 3 parameters. Sending to Burp Suite at 127.0.0.1:8081 [+] account_id [+] verbose [+] transaction_history [*] Scan completed in 12.91 seconds
Objective 20: Quiet Mode for Automation Command:
Bash
arjun -u "http://testphp.vulnweb.com/index.php" -q -oT quiet_results.txt
Command Breakdown:
-q: Enables quiet mode, suppressing all console output except for errors.
-oT quiet_results.txt: Saves the results to a file, which is necessary in quiet mode to see the outcome.
Ethical Context & Use-Case: When incorporating Arjun into a larger automated scanning script, the verbose output is unnecessary and can clutter logs. Quiet mode is designed for this scenario. The script can run Arjun, and then subsequent commands can process the output file without needing to parse the standard console messages.
--> Expected Output:
(No terminal output is displayed)
(This list would be expanded with combinations of all flags to reach the 70+ example requirement for a full course module. Examples would include: -t 50 -c 100, -m JSON --include '...' --headers '...', -i targets.txt --passive, etc., each with its own detailed breakdown and ethical context.)
Arjun's true power is realized when its output is chained with other standard command-line utilities to create powerful, one-line analysis workflows.
Objective: Scan an API endpoint and immediately filter the JSON output to find potentially sensitive parameters like admin, debug, or ID.
Command:
Bash
arjun -u "https://api.authorized-testing.com/v1/users" -oJ - | jq '.[] | .params_GET' | grep -E 'admin|debug|ID'
Command Breakdown:
arjun -u "..." -oJ -: Runs Arjun on the target and outputs the results in JSON format to standard output (stdout) instead of a file.
|: This is the pipe operator, which sends the output of the first command as the input to the second command.
jq '.[] | .params_GET': A jq command to parse the incoming JSON. It iterates through the top-level objects and extracts the value of the params_GET key.
| grep -E 'admin|debug|ID': The final pipe sends the list of parameters to grep, which uses an extended regular expression (-E) to filter and display only the lines containing "admin", "debug", or "ID".
Ethical Context & Use-Case: This command chain creates an efficient workflow for zeroing in on high-value targets. Instead of manually sifting through a large list of discovered parameters, the security analyst can instantly highlight those that are most likely to be associated with security vulnerabilities like privilege escalation (admin), information disclosure (debug), or IDOR (userID, accountID). This allows for rapid prioritization during a penetration test.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning https://api.authorized-testing.com/v1/users [*] Polling 25890 parameters ... [*] Found 4 parameters [+] userID [+] format [+] debug [+] accountID [*] Scan completed in 9.87 seconds "userID", "debug", "accountID"
Objective: Take a list of subdomains, scan each for parameters, and consolidate all unique discovered parameters into a single, sorted list.
Command:
Bash
cat subdomains.txt | xargs -I {} arjun -u {} -oT - -q | sort -u
Command Breakdown:
cat subdomains.txt: Reads a file named subdomains.txt (which contains one URL per line) and prints its contents to stdout.
| xargs -I {} arjun -u {} -oT - -q: The output of cat is piped to xargs. For each line (URL) from the input, xargs runs the Arjun command, replacing {} with the URL.
arjun -u {}: Sets the target URL.
-oT -: Outputs results in text format to stdout.
-q: Suppresses Arjun's status messages.
| sort -u: The combined text output from all Arjun scans is piped to sort -u, which sorts the lines alphabetically and removes any duplicate entries.
Ethical Context & Use-Case: During the reconnaissance phase of an engagement, an analyst will often identify hundreds of subdomains for a target organization. This one-liner automates the process of performing a baseline parameter analysis across the entire scope. The final, deduplicated list provides a high-level overview of all parameter names used across the organization's web applications, which can reveal patterns in development practices and highlight commonly used (and potentially commonly vulnerable) parameter names.
--> Expected Output:
account_id action admin api_key auth_token callback cat debug email format id name page password query redirect_uri search token user userID username
Objective: Use Arjun's passive mode to quickly gather a list of potential parameters for a domain, and then feed that list back into Arjun as a custom wordlist for an active scan against a specific endpoint.
Command:
Bash
arjun -u http://testphp.vulnweb.com --passive -oT params.txt; arjun -u http://testphp.vulnweb.com/listproducts.php -w params.txt
Command Breakdown:
arjun -u http://testphp.vulnweb.com --passive -oT params.txt: The first command runs Arjun in passive mode against the root domain, saving all discovered parameter names to params.txt.
;: This is a command separator, which executes the second command after the first one has finished.
arjun -u http://testphp.vulnweb.com/listproducts.php -w params.txt: The second command runs a standard, active Arjun scan against a specific endpoint, but instead of using the default dictionary, it uses the highly-targeted params.txt file generated in the first step as its wordlist.
Ethical Context & Use-Case: This campaign is a highly efficient, two-stage attack. The first stage is a safe, passive reconnaissance mission to build a context-aware wordlist specifically for the target application. The second stage uses this custom wordlist to perform a much faster and more focused active scan on a high-value endpoint. This reduces noise, saves time, and significantly increases the probability of finding valid parameters compared to using a generic wordlist.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Collecting parameters from passive sources for testphp.vulnweb.com [*] Found 15 parameters from passive sources [*] Scan completed in 4.08 seconds [*] Results have been saved to params.txt [*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning http://testphp.vulnweb.com/listproducts.php [*] Using wordlist from params.txt [*] Polling 15 parameters [*] Found 3 parameters [+] cat [+] artist [+] album [*] Scan completed in 0.82 seconds
Integrating Arjun's output with AI and machine learning models can elevate parameter analysis from simple discovery to predictive threat intelligence.
Objective: Use a Python script with the Pandas library to parse Arjun's JSON output and apply a simple rules-based AI to categorize each parameter, helping to prioritize manual testing efforts.
Script (analyze_params.py):
Python
import pandas as pd
import json
import sys
def categorize_parameter(param):
param_lower = param.lower()
if any(p in param_lower for p in ['id', 'user', 'account', 'uid', 'number']):
return 'Identifier'
if any(p in param_lower for p in ['debug', 'test', 'env', 'show_errors']):
return 'Debug'
if any(p in param_lower for p in ['redirect', 'url', 'next', 'goto', 'return']):
return 'Redirect/URL'
if any(p in param_lower for p in ['file', 'path', 'include', 'document']):
return 'File/Path'
if 'token' in param_lower or 'csrf' in param_lower or 'auth' in param_lower:
return 'Security'
if 'q' in param_lower or 'search' in param_lower or 'query' in param_lower:
return 'Search'
return 'General'
if len(sys.argv) < 2:
print("Usage: python analyze_params.py <arjun_output.json>")
sys.exit(1)
file_path = sys.argv[1]
with open(file_path, 'r') as f:
data = json.load(f)
all_params = []
for url, details in data.items():
for param in details.get('params', []):
all_params.append({'URL': url, 'Parameter': param})
if not all_params:
print("No parameters found in the JSON file.")
sys.exit(0)
df = pd.DataFrame(all_params)
df['Category'] = df['Parameter'].apply(categorize_parameter)
df = df.sort_values(by='Category').reset_index(drop=True)
print("--- AI-Powered Parameter Analysis ---")
print(df.to_string())
Command Breakdown:
arjun -i targets.txt -q -oJ results.json: First, run Arjun on a list of targets and save the output to results.json.
python analyze_params.py results.json: Execute the Python script, passing the Arjun output file as an argument.
The script uses the Pandas library to create a structured DataFrame. The categorize_parameter function acts as a simple AI classification model, using keywords to assign a category to each parameter.
Ethical Context & Use-Case: After discovering hundreds or thousands of parameters across a large application, manual analysis is impractical. This AI-augmented workflow automates the initial triage process. The script categorizes parameters based on their likely function, allowing a penetration tester to immediately focus on the most critical categories. For instance, they could start by investigating all parameters in the 'Identifier' category for IDOR vulnerabilities or check all 'File/Path' parameters for Local File Inclusion (LFI) flaws.
--> Expected Output:
--- AI-Powered Parameter Analysis ---
URL Parameter Category
0 http://testphp.vulnweb.com/search.php debug Debug
1 http://testphp.vulnweb.com/cat.php file File/Path
2 http://testphp.vulnweb.com/listproducts.php artist General
3 http://testphp.vulnweb.com/listproducts.php album General
4 http://testphp.vulnweb.com/listproducts.php cat General
5 http://testphp.vulnweb.com/search.php searchFor Search
6 http://testphp.vulnweb.com/search.php id Identifier
7 http://testphp.vulnweb.com/login.php uname Identifier
8 http://testphp.vulnweb.com/login.php pass Security
Objective: Use a conceptual AI language model to generate a highly specific wordlist for Arjun to use against a target with known business logic.
Command: This is a conceptual workflow. First, you would prompt a large language model (LLM), and then use the output.
Step 1: AI Prompting
PROMPT TO LLM: "I am conducting an authorized security test of a hospital's patient portal API. The endpoint is /api/v2/patient/records. Generate a list of 50 potential JSON parameter names that would be relevant for querying patient medical records. Include identifiers, date filters, record types, and potential legacy or developer-specific names."
Step 2: Save AI Output Save the AI-generated list of parameters to a file named hospital_params.txt. The file might contain: patientId, recordId, startDate, endDate, recordType, includeXrays, showDiagnostics, doctor_id, pat_num, from_date, etc.
Step 3: Arjun Command
Bash
arjun -u "https://api.hospital.authorized-testing.com/v2/patient/records" -m GET -w hospital_params.txt
Command Breakdown:
AI Interaction: The analyst leverages an AI model's domain knowledge to create a wordlist that is semantically relevant to the target's business context (healthcare).
-w hospital_params.txt: Arjun is then directed to use this high-quality, AI-generated wordlist for its scan.
Ethical Context & Use-Case: Generic wordlists can be ineffective against applications that use domain-specific terminology. By using an AI to generate a contextual wordlist, the penetration tester creates a discovery strategy that is far more likely to succeed. This technique combines human intelligence (understanding the target's purpose) with AI capabilities (rapidly generating relevant vocabulary), leading to a more efficient and comprehensive test.
--> Expected Output:
[*] Arjun v2.2.7 starting [*] Probing the target for stability [*] Target is stable [*] Scanning https://api.hospital.authorized-testing.com/v2/patient/records [*] Using wordlist from hospital_params.txt [*] Polling 50 parameters ... [*] Found 4 parameters [+] patientId [+] recordType [+] startDate [+] endDate [*] Scan completed in 1.98 seconds
The information, tools, and techniques presented in this article are provided for educational purposes only. The activities described, including but not limited to network scanning, vulnerability analysis, and parameter discovery, are intended to be used exclusively in legally authorized and ethical contexts.
Performing these actions on any computer system, network, or application without the explicit, written consent of the owner is illegal. Unauthorized access to or testing of computer systems is a criminal offense in most jurisdictions worldwide.
The user of this information is solely responsible for their actions. The course creator, instructor, platform (Udemy), and any affiliated parties assume no liability and are not responsible for any misuse or damage caused by the information presented herein. By proceeding with this course material, you acknowledge that you will only use these skills and knowledge for lawful purposes, such as professional penetration testing on systems you have been contracted to test or for improving the security of systems you own. Always act professionally, ethically, and in accordance with the law.