Table of Contents

In the context of web security, a parameter refers to any input or value that is sent to a web application through a URL or a form. These parameters can be anything from a username and password to more complex values, and they play a critical role in determining how the application behaves.

When it comes to finding security vulnerabilities in web applications, one of the most important things to do is to identify as many parameters as possible. This is because each parameter represents a potential entry point for an attacker to exploit.

By finding more parameters, security researchers, penetration testers and bugbounty hunters can significantly increase the attack surface of an application. This, in turn, allows them to identify a wider range of potential vulnerabilities, including things like SQL injection, cross-site scripting, and more.

Now that we understand the importance and drive behind identifying Hidden Parameters, let's explore various methodologies and tools to perform parameter discovery.


Methods and tools for parameter discovery:

Now let's find all the hidden parameters unlinked, unreferenced or unintentionally/accidentally open for use?


Creator: S0md3v

Arjun is a tool that can find valid HTTP parameters for URL endpoints in web applications. It has a default dictionary of 25,890 parameter names and can make 50-60 requests to the target in less than 10 seconds. Arjun supports various types of requests and can handle rate limits and timeouts. It also allows exporting results to various file formats and can passively extract parameters from JS or external sources.


#with pip
pip3 install arjun
#with repo
git clone
cd Arjun
python3 install


#Scan single url
arjun -u

Arjun looks for GET method parameters by default. All available methods are: GET/POST/JSON/XML

#specify the request method
arjun -u -m POST
#scan a list of targets
arjun -i targets.txt
#Use custom wordlist
arjun -u -w parameters.txt
#export to Burp
arjun -u -oB

Arjun has more features which you can read it here:

HTTP parameter discovery suite. Contribute to s0md3v/Arjun development by creating an account on GitHub.

Here are some reports where arjun helped bugbounty hunters earn some $$$$


Creator: Alexander Mironov(sh1yo_)

x8 is a Hidden parameters discovery suite written in Rust that helps identify potential vulnerabilities or interesting functionality missed by other testers. It offers fast and flexible request configuration using templates and injection points. x8 is highly scalable and can check thousands of URLs per run. It achieves high accuracy through line-by-line comparison of pages, comparison of response codes, and reflections. The tool can discover parameters with non-random values and is highly configurable with a wide range of options. Additionally, x8 achieves almost raw requests through external library modification.


#via cargo install
apt-get install cargo
cargo install x8
#from source code (rust should be installed)
git clone 
cd x8 
cargo build --release


#Single URL
x8 -u "" -w <wordlist>

-u specify the URL and -w specifies the wordlist to be used

#specify the request method using -X
x8 -u "" -w <wordlist> -X GET POST
#scan a list of targets with -u
x8 -u targets.txt -w <wordlist>

x8 can be integrated with Burp suite using the Custom Send To extension from BApp store.

Burp Suite integration can be found here:

GitHub - Sh1Yo/x8: Hidden parameters discovery suite
Hidden parameters discovery suite. Contribute to Sh1Yo/x8 development by creating an account on GitHub.



The extension is designed to identify hidden and unlinked parameters, with a specific focus on finding web cache poisoning vulnerabilities. It uses advanced diffing logic from Backslash Powered Scanner, along with a binary search technique, to guess up to 65,000 parameter names per request. The extension includes a built-in wordlist, and also harvests additional words from all in-scope traffic to improve its accuracy.


Extensions -> Param Miner -> Guess params

Para miner indetified the unlinmked parameter content

Paraminer is powerful for discoving web cache poisoning issues, you can read about it here:

Practical Web Cache Poisoning
In this paper I’ll show you how to compromise websites by using esoteric web features to turn their caches into exploit delivery systems

Read this blog to understand how Nagli used para-miner to get cool bounties and bugs


Creator: Devansh(0xAsm0d3us)

ParamSpider is a tool designed to mine parameters from web archives, including subdomains, of a specified domain. It can exclude URLs with specific extensions and saves the output results in a clear and organized manner. ParamSpider operates without interacting with the target host, making it a non-invasive tool for parameter discovery.


git clone
cd ParamSpider
pip3 install -r requirements.txt
python3 --domain


Simple scan 
$ python3 --domain
Excluding urls with specific extensions
$ python3 --domain --exclude php,jpg,svg

Finding nested parameters
$ python3 --domain --level high

Saving the results
$ python3 --domain --exclude php,jpg --output target.txt

Custom placeholder text (default is FUZZ)
$ python3 --domain --placeholder FUZZ

Paramspider can be paired up with ffuf and gf tools for maximum efficiency!


Creator: xnl-h4ck3r

The GAP-Burp-Extension is an updated version of the original getAllParams extension for Burp. It not only identifies potential parameters but also discovers potential links to test these parameters on. Additionally, it creates a target-specific wordlist for fuzzing purposes. Users can access the full Help documentation on the GAP tab or by visiting the GitHub repository.


  1. Download the and requirements.txt from this project and place in the same directory.
  2. Install Jython modules by running java -jar jython-standalone-2.7.3.jar -m pip install -r requirements.txt.
  3. Go to the Extensions -> Installed and click Add under Burp Extensions.
  4. Select Extension type of Python and select the file.


Extensions -> GAP

The results can be found in the GAP tab

GAP is a powerful tool and burp extension that you should definity check out.


Creator: hisxo

ReconAIzer is a Jython extension for Burp Suite that incorporates OpenAI to enhance the bug bounty recon process. This extension automates numerous tasks to assist security researchers in identifying and exploiting vulnerabilities. It can identify endpoints, params, URLs, subdomains, and more. The power of the GPT-3 in your burp!


  1. Download the
  2. Go to the Extensions -> Installed and click Add under Burp Extensions.
  3. Select Extension type of Python and select the file.
  4. On config page add the OpenAPI API key


Extensions -> ReconAIzer -> Suggest GET/POST/JSON Parameters

At the time of testing, i was getting the following error! I tried different API keys.

Still looks like a promising extension using OpenAI, play around with it.

So if you're looking to improve the security of your web applications, one of the best things you can do is to focus on finding and testing as many parameters as possible. By doing so, you'll be able to identify and address potential vulnerabilities before they can be exploited by attackers. Now you know how to find more parameters!

If you liked this blog and want too see such contents, Let me know in the comments and share it with your peers!

Follow me on Twitter and LinkedIn

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Anugrah SR | #HackLearnDaily.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.