x8-Burp – Hidden parameters discovery suite wrapper
The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss. Greater accuracy is achieved thanks to the line-by-line comparison of pages, comparison of response code, and reflections.
- Select multiple requests from the Proxy or Repeater tab.
- Each selected request is executed in a separate thread.
- Automatic Issue creation when a hidden parameter is found.
- HTTP/2 Support.
- Requests with detected parameters are visible in the Proxy tab.
- The issue is added with severity Information when WAF is detected.
- Automatic detection of the injection point. If the request body exists, then parameters in URL-Query are ignored.
- Custom injection points can be defined using%s or &%s
- There are four search choices available:
- Small Wordlist (Recommended, 25000 words, 7 threads)
- Large Wordlist (63000 words, 25 threads)
- x8083 – all requests will be proxied via port 8083 (for example, you can configure the port in burp)
- Debug Params – the minimum number of requests to detect only debug parameters and parameters based on response
Feel free to check whether the tool works as expected and compare it with other tools at https://4rt.one/. There are 2 reflected parameters, 4 parameters that change code/headers/body, and one extra parameter with a not random value.
Copyright (C) 2021 Impact-l
Source: Penetration Testing