The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss. Greater accuracy is achieved thanks to the line-by-line comparison of pages, comparison of response code and reflections.
- Features
- Examples
- Test
- Usage
- Troubleshooting
- Limitations
- Wordlists
- Burp Suite integrations
- Installation
Features
- A lot of things to customize: key template, value template, encodings, and even injection points.
- Supports 6 main methods: GET, POST, PUT, PATCH, DELETE, HEAD.
- Has built in 2 main body types: json, urlencode.
- Able to discover parameters with not random value, like admin=true
- Compares responses line-by-line.
- Adds to every request cachebuster by default.
Examples
Send parameters via query
With some default parameters:
/?something=1 equals to /?something=1&%s
Send parameters via body
Or with a custom body:
%s will be replaced with different parameters like {"x":{"a":"b3a1a", "b":"ce03a", ...}}
Custom template
Now every request would look like /?user[a]=hg2s4&user[b]=a34fa&...
It is even possible to imitate not included body types, for example, application/xml:
Variables
In the next example, something will take on new values every request:
Percent encoding
Sometimes parameters should be encoded. It is also possible:
GET /?path=..%2faction.php%3fWTDa8%3Da7UOS%26rTIDA%3DexMFp...%23 HTTP/1.1
Host: example.com
Headers
With v3.0.0 it is possible to discover headers as well:
Header values
You can also target single headers:
Test
Feel free to check whether the tool works as expected and compare it with other tools at https://4rt.one/index.html. There are total 8 parameteres and 2 headers to be found!
Usage
USAGE:
x8 [FLAGS] [OPTIONS]
FLAGS:
--append Append to the output file instead of overwriting it.
--as-body Send parameters via body.
Built in body types that can be detected automatically: json, urlencode
--disable-cachebuster
--disable-colors
--disable-custom-parameters Do not check automatically parameters like admin=true
--disable-progress-bar
-C, --disable-response-correction Do not beautify responses before processing. Reduces accuracy.
--encode Encodes query or body before a request, i.e & -> %26, = -> %3D
List of chars to encode: ", `, , <, >, &, #, ;, /, =, %
-L, --follow-redirects Follow redirections
--force Ignore 'binary data detected', 'the page is too huge', 'param_template lacks
variables' error messages
-h, --help Prints help information
--headers Switch to header discovery mode.
Forbidden chars would be automatically removed from headers names
--is-json If the output is valid json and the content type does not contain 'json'
keyword - specify this argument for a more accurate search
--keep-newlines --body 'a\r\nb' -> --body 'a{{new_line}}b'.
Works with body and parameter templates only.
--reflected-only Disable page comparison and search for reflected parameters only.
--replay-once If replay proxy is specified, send all found parameters within one request.
--test Prints request and response
-V, --version Prints version information
--verify Verify found parameters one more time.
OPTIONS:
-b, --body <body> Example: --body '{"x":{%s}}'
Available variables: {{random}}
-t, --body-type <body type>
Available: urlencode, json
Can be detected automatically if --body is specified (default is "urlencode")
-c <concurrency> The number of concurrent requests [default: 1]
--custom-parameters <custom-parameters>
Check these parameters with non-random values like true/false yes/no
(default is "admin bot captcha debug disable encryption env show sso test waf")
--custom-values <custom-values>
Check custom parameters with these values (default is "1 0 false off null true yes no")
-d, --delay <Delay between requests in milliseconds> [default: 0]
-H <headers> Example: -H 'one:one' 'two:two'
--learn-requests <learn_requests_count> Set the custom number of learning requests. [default: 9]
-m, --max <max>
Change the maximum number of parameters.
(default is 128/192/256 for query, 64/128/196 for headers and 512 for body)
-X, --method <method>
Available: GET, POST, PUT, PATCH, DELETE, HEAD. [default: GET]
-o, --output <file>
-O, --output-format <output-format> standart, json, url, request [default: standart]
-P, --param-template <parameter_template>
%k - key, %v - value. Example: --param-template 'user[%k]=%v&' [default: ]
--proto <proto> Protocol to use with request file (default is "https")
-x, --proxy <proxy>
--replay-proxy <replay-proxy>
Request target with every found parameter via replay proxy at the end.
-r, --request <request> The file with the raw http request
--save-responses <save-responses> Save matched responses to a directory
-u, --url <url> You can add a custom injection point with %s.
--value-size <value_size>
Custom value size. Affects {{random}} variables as well [default: 7]
-v, --verbose <verbose> Verbose level 0/1/2 [default: 1]
-w, --wordlist <wordlist> The file with parameters
Troubleshooting
I chose the POST/PUT method and/or provided a body, but the tool sends parameters via query.
- make sure you are adding --as-body flag.
The tool fails to send requests via burp suite proxy.
- try to use --http2 flag.
Limitations
- Currently, it is impossible to use some non-regular paths like
/sth1/../sth2.
Wordlists
Parameters:
Headers:
Burp Suite integrations
It is possible to run parameter discovery in a few clicks using burp suite extensions:
x8-Burp
NOTE
Currently the extension supports only v2.5.0.
Send To
Setting up
- Open Burp Suite and go to the extender tab.
- Find and install the "Custom Send To" extension in BApp Store.
- Go to the "Send to" tab and click Add.
Name - x8 query.
Command - /path/to/x8 -r %R -w wordlist.txt --proto %T. You can also add your frequently used arguments like --output-format,--replay-proxy, -c...
Then switch from Run in background to Run in terminal.
- Repeat step 3 with Name - "x8 body" and add
--as-bodyflag to the Command.
Now you can go to the proxy/repeater tab and send the request to the tool:
In the next dialog, you can change the command and run it in a new terminal window.
Installation
-
Linux
- from releases
- from blackarch repositories (repositories should be installed)
# pacman -Sy x8 - from source code (rust should be installed)
- using cargo install
-
Mac
- currently, there are no binaries for Mac OS
- from source code (rust should be installed)
- using cargo install
-
Windows
- from releases
-- btc - bc1qje9f85652r5a0anfxcs8yzu97nes740qxg3mxt4um30myj5sc7mss0v3yw xmr - 46pni5AY9Ra399sivBykVucaK6KdU3rYiSqFsZinfaEgd3qUkeZvRxjEdhPPmsmZQwTDPBSrvSpkaj4LsHqLH6GG7zMmgiW