Unlock cybersecurity expertise, protect digital frontiers, secure your future today! Join Now
Home
Cyber Security

Arjun : Comprehensive Guide to HTTP Parameter Discovery, Fuzzing, and Security Testing

Arjun tool guide: discover GET and POST parameters, perform fuzzing, and find hidden endpoints with professional commands and examples

1. Introduction

Web applications often hide sensitive resources such as admin panels, backups, or development directories. Discovering these hidden parameters is crucial for penetration testing.

Arjun is a command-line HTTP parameter discovery tool written in Python that automates the process of enumerating GET and POST parameters, performing parameter fuzzing, and helping ethical hackers identify potential attack surfaces.

Arjun : Comprehensive Guide to HTTP Parameter Discovery, Fuzzing, and Security Testing

GoBuster-like speed aside, Arjun focuses specifically on HTTP parameter discovery, making it invaluable for testing web forms, APIs, and hidden scripts.

2. Installation

2.1 Installing on Kali Linux / Ubuntu / Debian

The simplest method to install Arjun is via APT package manager:

sudo apt update
sudo apt install arjun -y

Verify installation:

arjun --help

Simulated Output:

Arjun v2.0.1 - HTTP parameter discovery tool
Usage: arjun -u <url> [options]
Options:
  -u, --url           Target URL
  -o, --output        Save results to a file
  -m, --method        Request method (GET or POST)
  -c, --cookie        HTTP cookie
  --headers           Custom headers
  -t, --threads       Number of concurrent threads
  --timeout           Request timeout

2.2 Installing on Other Linux Distributions

If the package is not available via APT, you can still install via GitHub:

sudo apt update
sudo apt install python3 python3-pip git -y
git clone https://github.com/s0md3v/Arjun.git
cd Arjun
pip3 install -r requirements.txt
python3 arjun.py --help

2.3 Windows Installation

  1. Install Python 3.x
  2. Clone Arjun:
git clone https://github.com/s0md3v/Arjun.git
  1. Install dependencies:
pip install -r requirements.txt
  1. Run:
python arjun.py --help

3. Understanding HTTP Parameters

Web applications accept data through parameters in GET and POST requests. Examples:

GET Parameters:

http://example.com/page.php?id=123&user=admin

POST Parameters:

POST /login HTTP/1.1
username=admin&password=12345

Finding hidden or unlisted parameters is critical for security testing and discovering vulnerabilities like SQL Injection, XSS, and LFI.

4. Basic GET Parameter Discovery

4.1 Discovering Parameters Automatically

arjun -u http://example.com/page.php

Output:

GET parameters discovered:
id
user
token

Explanation:

  • Arjun scans the URL and identifies existing GET parameters.
  • These parameters can then be tested for security vulnerabilities.

4.2 Using Custom Wordlists

arjun -u http://example.com/page.php --data GET --level 2

Output Example:

GET parameters discovered:
id
user
token
session
debug
  • --level 2 increases the depth of parameter testing.

5. POST Parameter Discovery

5.1 Basic POST Scan

arjun -u http://example.com/login.php -m POST

Output:

POST parameters discovered:
username
password
remember_me
csrf_token

5.2 Testing Custom POST Data

arjun -u http://example.com/login.php -m POST --data "username=FUZZ&password=FUZZ"

Output:

POST parameters discovered:
username
password
otp
security_question
  • Replace FUZZ with wordlist values to test optional or hidden parameters.

6. Parameter Fuzzing

6.1 Fuzzing GET Parameters

arjun -u http://example.com/page.php?id=FUZZ

Output:

GET parameters discovered:
id
user
token
debug
admin
  • Reveals hidden parameters like debug and admin.

6.2 Fuzzing Multiple Parameters

arjun -u http://example.com/search.php?query=FUZZ&cat=FUZZ

Output:

Discovered parameters:
query
cat
page
filter
sort

6.3 Authenticated Scans with Headers and Cookies

arjun -u http://example.com/dashboard.php -m GET --cookie "PHPSESSID=12345" --headers "User-Agent:Mozilla/5.0"

Output:

Discovered GET parameters:
dashboard_id
admin
theme
  • Helps discover parameters accessible only to authenticated users.

7. Multi-threaded Scanning

arjun -u http://example.com/page.php -t 50
  • -t → number of concurrent threads for faster scanning.

8. Saving Results

arjun -u http://example.com/page.php -o arjun_results.txt
  • Saves discovered parameters to a file for reporting.

9. Real-World Use Cases

  1. Hidden admin endpoints: debug and admin parameters not listed in navigation.
  2. POST parameter discovery: otp and security_question fields for authentication testing.
  3. Authenticated scans: session cookies reveal hidden dashboard parameters.
  4. Fuzzing discovers optional or deprecated parameters forgotten by developers.

10. Best Practices

  • Always test on authorized targets.
  • Combine Arjun with Burp Suite, OWASP ZAP, and Nikto.
  • Start with GET scans, then POST, then parameter fuzzing.
  • Save outputs for reporting and remediation guidance.
  • Combine with SQLMap or XSS testing on discovered parameters.

11. Conclusion

Arjun is a highly effective tool for discovering GET and POST parameters, including hidden ones. By automating parameter discovery and fuzzing, it saves hours of manual testing and exposes attack surfaces that may otherwise be overlooked.

When integrated into a full pentesting workflow with Burp Suite or other tools, Arjun ensures thorough web application security assessments.