x8 2.0.0

Hidden parameters discovery suite.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202

[![Twitter](https://img.shields.io/twitter/follow/sh1yo_.svg?logo=twitter)](https://twitter.com/sh1yo_)

![crates.io](https://img.shields.io/crates/v/x8.svg)
![stars](https://img.shields.io/github/stars/Sh1Yo/x8)
![crates_downloads](https://img.shields.io/crates/d/x8?logo=rust)
![github_downloads](https://img.shields.io/github/downloads/sh1yo/x8/total?label=downloads&logo=github)
![lang](https://img.shields.io/github/languages/top/sh1yo/x8)

<h1 align="center">x8</h1>

<h3 align="center">Hidden parameters discovery suite written in Rust.</h3>

<p align="center"><a href="https://asciinema.org/a/oAMn0LK0NciNHgzirYJClyB2v" target="_blank"><img src="https://asciinema.org/a/oAMn0LK0NciNHgzirYJClyB2v.svg" /></a></p>

- [How does it work](#how-does-it-work)
- [Features](#features)
- [Examples](#examples)
    - [Send parameters via query]("send-parameters-via-query")
    - [Send parameters via body](#send-parameters-via-body)
    - [Custom template](#custom-template)
    - [Variables](#variables)
    - [Percent encoding](#percent-encoding)
- [Test](#test)
- [Usage](#usage)
- [Installation](#installation)
- [Donation](#donation)

# How does it work
Firstly, it makes a few basic requests to learn the target, and then it tries to adjust the optimal amount of parameters in every request. Next requests contain parameters from the user-supplied list. If the response has unique differences - parameters from the request are split into two heaps and added to the queue for another cycle. Cycles repeat until there remains one parameter in every heap that causes a unique difference.

# Features
- A lot of things to customize: key template, value template, encodings, and even injection points.
- Supports 6 main methods: GET, POST, PUT, PATCH, DELETE, HEAD.
- Has built in 2 main body types: json, urlencode.
- Able to discover parameters with not random value, like admin=true
- Compares responses line-by-line.
- Adds to every request cachebuster by default.

# Examples
#### Send parameters via query
```bash
x8 -u "https://example.com/" -w <wordlist>
```

With some default parameters:
```bash
x8 -u "https://example.com/?something=1" -w <wordlist>
```

`/?something=1` equals to `/?something=1&%s`

#### Send parameters via body
```bash
x8 -u "https://example.com/" -X POST --as-body -w <wordlist>
```

Or with a custom body:
```bash
x8 -u "https://example.com/" -X POST --as-body -b '{"x":{%s}}' -w <wordlist>
```
`%s` will be replaced with different parameters like `{"x":{"a":"b3a1a", "b":"ce03a", ...}}`

#### Custom template
```bash
x8 -u "https://example.com/" --param-template "user[%k]=%v&" -w <wordlist>
```

Now every request would look like `/?user[a]=hg2s4&user[b]=a34fa&...`

It is even possible to imitate not included body types, for example, application/xml:

```bash
x8 -u "https://example.com/" --as-body --param-template "<%k>%v</%k>" -H "Content-Type: application/xml" -b "<?xml version="1.0" ?>%s" -w <wordlist>
```

#### Variables
In the next example, `something` will take on new values every request:
```bash
x8 -u "https://example.com/?something={{random}}&%s" -w <wordlist>
```

#### Percent encoding
Sometimes parameters should be encoded. It is also possible:

```bash
x8 -u "https://example.com/?path=..%2faction.php%3f%s%23" --encode -w <wordlist>
```

```http
GET /?path=..%2faction.php%3fWTDa8%3Da7UOS%26rTIDA%3DexMFp...%23 HTTP/1.1
Host: example.com
```

# Test
Feel free to check whether the tool works as expected and compare it with other tools at https://4rt.one/.
There are 2 reflected parameters, 4 parameters that change code/headers/body, and one extra parameter with a not random value.

# Usage

```
USAGE:
    x8 [FLAGS] [OPTIONS]

FLAGS:
        --as-body                        Send parameters via body.
                                         Built in body types that can be detected automatically: json, urlencode
        --disable-cachebuster
        --disable-colors
        --disable-custom-parameters      Do not check automatically parameters like admin=true
        --disable-progress-bar
    -C, --disable-response-correction    Do not beautify responses before processing. Reduces accuracy.
        --encode                         Encodes query or body before a request, i.e & -> %26, = -> %3D
                                         List of chars to encode: ", `, , <, >, &, #, ;, /, =, %
    -L, --follow-redirects               Follow redirections
        --force                          Ignore 'binary data detected', 'the page is too huge', 'param_template lacks
                                         variables' error messages
    -h, --help                           Prints help information
        --http2                          Use http/2 instead of http/1.1
        --insecure                       Use http instead of https when the request file is used
        --is-json                        If the output is valid json and the content type does not contain 'json'
                                         keyword - specify this argument for a more accurate search
        --replay-once                    If replay proxy is specified, send all found parameters within one request
        --test                           Prints request and response
    -V, --version                        Prints version information

OPTIONS:
    -b, --body <body>                                       Example: --body '{"x":{%s}}'
                                                            Available variables: {{random}}
    -t, --body-type <body type>
            Available: urlencode, json. (default is "urlencode")
            Can be detected automatically if --body is specified
    -c <concurrency>                                        The number of concurrent requests (default is 1)
        --custom-parameters <custom-parameters>
            Check these parameters with non-random values like true/false yes/no
            (default is "admin bot captcha debug disable encryption env show sso test waf")
        --custom-values <custom-values>
            Check custom parameters with these values (default is "1 0 false off null true yes no")

    -d, --delay <Delay between requests in milliseconds>
    -H, --header <headers>                                  Example: -H 'one:one' 'two:two'
        --learn-requests <learn_requests_count>             Set the custom number of learning requests. (default is 9)
    -m, --max <max>
            Change the maximum number of parameters. (default is 128/192/256 for query and 512 for body)

    -X, --method <method>
            Available: GET, POST, PUT, PATCH, DELETE, HEAD. (default is "GET")

    -o, --output <file>
    -P, --param-template <parameter_template>
            %k - key, %v - value. Example: --param-template 'user[%k]=%v&'

    -x, --proxy <proxy>
        --replay-proxy <replay-proxy>
            Request target with every found parameter via replay proxy at the end

    -r, --request <request>                                 The file with raw http request
        --save-responses <save-responses>                   Save matched responses to a directory
    -u, --url <url>                                         You can add a custom injection point with %s
        --value-size <value_size>
            Custom value size. Affects {{random}} variables as well (default is 5)

    -v, --verbose <verbose>                                 Verbose level 0/1/2 (default is 1)
    -w, --wordlist <wordlist>                               The file with parameters
```

<a name="Installation"/>

# Installation
- Linux
    - from releases
    - from source code (rust should be installed)
        ```bash
        git clone https://github.com/Sh1Yo/x8
        cd x8
        cargo build --release
        ```
    - using cargo install
        ```bash
        cargo install x8
        ```
- Mac
    - currently, there are no binaries for Mac OS
    - from source code (rust should be installed)
        ```bash
        git clone https://github.com/Sh1Yo/x8
        cd x8
        cargo build --release
        ```
    - using cargo install
        ```bash
        cargo install x8
        ```

- Windows
    - from releases

# Donation
Want to support the project? You can donate to the following addresses:

Monero: 46pni5AY9Ra399sivBykVucaK6KdU3rYiSqFsZinfaEgd3qUkeZvRxjEdhPPmsmZQwTDPBSrvSpkaj4LsHqLH6GG7zMmgiW

Bitcoin: bc1q8q9hfmejxd65jcrszwpgj7xnwhy32gpxay2h604xwvjwtw8jh8vq8kev5r