1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
Source: arjun
Section: misc
Priority: optional
Maintainer: Debian Security Tools <team+pkg-security@tracker.debian.org>
Uploaders: Guilherme de Paula Xavier Segundo <guilherme.lnx@gmail.com>
Rules-Requires-Root: no
Build-Depends: debhelper-compat (= 13),
dh-sequence-python3,
python3-setuptools,
python3-all
Standards-Version: 4.7.0
Homepage: https://github.com/s0md3v/Arjun
Vcs-Browser: https://salsa.debian.org/pkg-security-team/arjun
Vcs-Git: https://salsa.debian.org/pkg-security-team/arjun.git
Package: arjun
Architecture: all
Depends: ${python3:Depends},
${misc:Depends}
Description: HTTP parameter discovery suite
This package can find query parameters for URL endpoints.
.
Web applications use parameters (or queries) to accept user input, take the
following example into consideration.
.
http://api.example.com/v1/userinfo?id=751634589
.
This URL seems to load user information for a specific user id, but what if
there exists a parameter named admin which when set to True makes the endpoint
provide more information about the user?
This is what Arjun does, it finds valid HTTP parameters with a huge default
dictionary of 25,890 parameter names.
It takes less than 10 seconds to go through this huge list while making just
50-60 requests to the target.
.
Some features:
- Supports GET/POST/POST-JSON/POST-XML requests;
- Automatically handles rate limits and timeouts;
- Export results to: BurpSuite, text or JSON file;
- Import targets from: BurpSuite, text file or a raw request file;
- Can passively extract parameters from JS or 3 external sources.
.
Arjun is useful for penetration testing (PENTEST) and network security
analysis, serving as OSINT.
|
