x8 4.3.1

Hidden parameters discovery suite.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313

- [User Interface](#user-interface)
- [Command line arguments](#command-line-arguments)
    - [http request from file](#http-request-from-file)
    - [http request from command-line arguments](#http-request-from-command-line-arguments-conflicts-with---request)
    - [Parameters](#parameters)
    - [Behavior](#behavior)
    - [Concurrency](#concurrency)
    - [Output](#output)


## User Interface

Usually, the tool's output looks like this:

![img](https://sh1yo.art/images/si9kh81QRe4PF9JF7g-4D0jGJ0ZAeDAW)

## Command line arguments

### http request from file

```
-r --request <filename>
```

This option specifies the file containing the raw HTTP request.

When using a request file, the tool does not add default headers such as `Accept` and `User-Agent` to the request.

At present, the URL is created directly from the Host header, so it is not possible to set an arbitrary Host header from within a request file. If you want to set a different Host header, see the `-H` option in the [HTTP Request from Command Line Arguments](#http-request-from-command-line-arguments) category.

```
--proto <http/https>
```

This argument is additional and required when using the `--request` option.

Specify either `http` or `https`.

```
--split-by <value>
```

This option specifies how to split the request file. By default, the `.lines()` method is used, which treats `\r`, `\n`, and `\r\n` as line separators.

For example, to split only by `\n`, use `--split-by '\n'`.

### http request from command-line arguments [conflicts with -\-request]

```
-u --url <values>
```

This option specifies the target URL. Multiple URLs can be provided using `-u https://example.com https://4rt.one`, or by using a filename: `-u targets.txt`.

To specify an injection point, use `%s`. For example, `-u https://4rt.one?a=b` is equivalent to `-u https://4rt.one/?a=b&%s`.

Supported variables include {{random}}. For instance, `-u https://4rt.one/?something={{random}}` will cause the something parameter to take on new values for every request.

```
-X --method <values>
```

This option specifies the request method.

An example with multiple values: `-X GET POST`

```
-b --body <value>
```

This option specifies the request body.

To specify an injection point, use `%s`. For example, `-b '{"some":"value"}'` is equivalent to `-b '{"some":"value", %s}'`.

Supported variables include `{{random}}`.

```
-H <values>
```

This option specifies the request headers.

For example, `-H "User-Agent: Mozilla" "X-Something: awesome"`.

You can overwrite the default Host header as well.

**NOTE**: Overwriting the `Host` header works properly only with `HTTP/1.1` because there is no `Host` header for `HTTP/2`. Instead, for `HTTP/2`, there is a special `:authority` header, but the tool currently cannot change special `HTTP/2` headers.

**NOTE**: You may encounter some case-related problems. The library that I am using for requests is `reqwest`. It capitalizes the first letter of the header name (or one after `-`) and lowers the rest for `HTTP/1.1`. However, for `HTTP/2` requests, `reqwest` lowers every header name (as per `HTTP/2` specs).

```
--http <1.1/2>
```

This option forces the use of a specific HTTP version. You can specify either `1.1` or `2`.

For example, `--http 1.1` will force the use of `HTTP/1.1`, while `--http 2` will force the use of `HTTP/2`.

### Parameters

The tool's primary purpose is to handle a wide range of situations. To accomplish this, several options have been added that provide precise control over how and where parameters are inserted.

To insert parameters into specific locations, use the `%s` variable.

```
-P --param-template <value>
```

Here, `%k` represents the key, and `%v` represents the value.

For standard GET requests, the parameter template is typically `%k=%v`.

Default values are `%k=%v` for URL-encoded data, `"%k":%v` for JSON, and `%k=%v` for header values.

Examples:

- To search for specific object fields: `-P user[%k]=%v`
- To search for json array values: `-P "%k"`, with `--body '{"arr":[%s]}' --joiner ', '`


```
-j --joiner <value>
```

This argument determines how to join parameters together. For ordinary GET requests, it's `&`.

Default values: for urlencoded `&`, for JSON `,`, for header values `; `

- Custom made XML discovery format: `--body "<root>%s</root>" --joiner "\n" --param-template "<%k>%v</%k>"`


```
-t --data-type <json/urlencoded>
```

Sometimes you need to tell the tool the data type.

For example, when the body isn't provided with the `POST` method. By default, **urlencoded** format will be used. You can change this behavior with `-t json`

```
--encode
```
In some contexts, you may need to encode special characters. `&` becomes `%26`

List of characters to encode: **["`<>&#;/=%]**

For example, when you find an app that forwards a specific parameter to the backend: `-u 'https://4rt.one/v?uid=00000%26%s' --encode`

`https://4rt.one/v?uid=<value>%26param%3dvalue` -> makes request to -> `http://internal/secret?uid=<value>&param=value`

```
--custom-parameters <values> --custom-values <values>
```

Some parameters can often have non-random values like `debug=1`. The tool automatically checks for these cases, but you can overwrite the default values.

Default values:

`--custom-parameters admin bot captcha debug disable encryption env show sso test waf`

`--custom-values 1 0 false off null true yes no`

*Usually, adding an additional custom parameter is free, while adding a custom value costs 1 request per value.*

```
--disable-custom-parameters
```

Disables checking for custom parameters by default.

```
-m --max <uint>
```

Determines how many parameters to send in every request.

By default: for query parameters, it starts with 128 and tries to increase up to 256. With v4.2.0, the logic was improved and the value may even be less than 128. For headers and header values, the default is 64. For the body, the default is 512.

### Behavior

```
--headers
```

Search for headers. By default, the tool sends 64 headers per requests, but this can be configured with the `-m` option.

**Note**: You may encounter all the limitations described in `-H` from [HTTP Request From Command-Line Arguments](#http-request-from-command-line-arguments) section.

```
--invert
```

Sometimes you may need to send parameters via the body with the `GET` method or via query with the `POST` method. By default, parameters are sent within the request body only with the `PUT` and `POST` methods, but it can be overwritten with the `--invert` option.

```
--recursion-depth <uint> [default: 1]
```

Checks the same list of parameters over and over, adding found parameters every run.

*Only parameters that don't change the page's code are added to the next run.*

```
--reflected-only
```

Search only for reflected parameters to reduce the amount of sent requests.

```
--strict
```

Do not report parameters that change the same part of the page. This helps to get rid of mass false positives, such as when all the parameters containing `admin` cause page differences. Note that this can lead to a few false negatives as well. In the future, this option will be replaced with a bit better logic.

### Concurrency

Implemented using async/awaits.

```
-W --workers <uint> [default: 1]
```

This specifies the number of concurrent URL checks.

`-W 0` -- checks all URLs in parallel.

```
--one-worker-per-host
```

This option only checks URLs with different hosts in parallel.

**Note**: This option does not increase the number of workers if there are fewer workers than hosts. You can use `-W 0` for one **worker** per **host**.

```
-c --concurrency <uint> [default: 1]
```

This specifies the number of concurrent jobs for each worker.

### Output

```
-v --verbose <0/1/2> [default: 1]
```

This option determines how much information to print to the console.

The output also depends on the number of parallel URL checks.

- 0 --- prints only the initial configuration, URL configuration, and their found parameters. The progress bar remains but can be disabled with `--disable-progress-bar`.
- 1 --- 0 + prints every discovered parameter's kind if only one URL is being checked in parallel.
- 2 --- 0 + prints every discovered parameter's kind always.

```
-o --output <filename>
```

This option specifies the file where the final output is written.

By default, the file overwrites unless `--append` is provided.

The file is dynamically populated unless the JSON output is used.

```
-O --output-format <standart/json/url/request>
```

This option specifies the output format for the final message about found parameters.

If `--output` is defined, the same message is printed to the file.

**standart**: `<METHOD> <URL> % <PARAMETERS devided by ', '>`

**json**:
```json
[
  {
    "method": "<method>",
    "url": "<url>",
    "status": <status code>,
    "size": <initial page size>,
    "found_params": [
      {
        "name": "<parameter name>",
        "value": "<null or parameter value>",
        "diffs": "<empty or diffs>",
        "status": <status code with this parameter>,
        "size": <page size with this parameter>,
        "reason_kind": "<explained below>"
      }
    ],
    "injection_place": "<where the injection point is -- Path, Body, Headers, HeaderValue>"
  }
]
```

reason_kind can take on 4 values:

- Code --- the parameter changes the page's code.
- Text --- the parameter changes the page's body or headers.
- Reflected --- the parameter reflects on the page different amount of times (compared to non-existing parameters).
- NotReflected --- the parameter causes other parameters to reflect different amount of times.

**url**: `<url>?<parameters devided by '&' with random or specific values>`

**request**: The http request with parameters. Parameter values can be either random or specific like 'true'.

```
--remove-empty
```

This option excludes entries without found parameters from the output file.