Some people asked me about publishing a comparison between x8 and other major tools for parameter discovery: Arjun and Param Miner, so here it is!
Parameter discovery tools help to find parameters that can be vulnerable or able to reveal some hidden features. In this post, I am going to check the speed and accuracy of these tools. For tests, I used a wordlist with 26k parameters. If you don’t have time to read the whole post - you can go directly to the summary at the end of a page.
Tools
x8 v2.0.0
Used –disable-custom-parameters flag because none of the other testing tools has this functionality.
arjun v2.1.3
Used -c 256 flag because the initial amount of parameters per request is too huge and some pages ignore the rest of the parameters or throw some errors. Also, I modified error_handler.py:29 because it causes the tool to stop on 400 HTTP code.
param miner v1.28
Used disable origin cachebuster, disable basic wordlist, force bucketsize = 256 (sometimes works very bad and sends 6-12 parameters per request), disable response (this flag allows the tool to search parameters in every response. I don’t like it because sometimes it increases the number of requests by a few times), use custom wordlist flags. Default request:
GET /PATH HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
Accept-Charset: utf-8, iso-8859-1;q=0.5, *;q=0.1
Accept-Language: en-US, *;q=0.5
Accept: */*
Targets
To perform the comparison I chose my test domain and a few popular domains like google.com, yandex.ru, github.com, youtube.com, then I ran a crawler on these domains and selected the most interesting paths. Some info about custom targets: 4rt.one and 4rt.one/json contain a lot of different parameters that, I believe, can cover most of the real-life cases.
Results
Accuracy
The next tables show the statistic across 10 endpoints.
Parameters found by every tool and how many requests did it take
* - send parameters via json body. 512 parameters per request ** - as_parameters were manually added to the list because I disabled searching words in the response
Average number of requests needed for 1 parameter
I removed www.google.com/ from the count in this and the second table because 45% of the parameters were found there.
Missing parameters
Speed
The next table represents a speed of each tool. Target used - 4rt.one/load?size=n on localhost. I am making comparisons on my laptop with: OS: 5.12.9-arch1-1 CPU: Intel i3-7020U
*** - Force 256 parameters per request as well as in other tools.
Summary
Final thoughts & conclusion
Anyway, some stats can be very inaccurate due to the small number of test endpoints and the inability to know the exact number of parameters, but yet they are able to show a rough picture. Most of the time param miner and arjun fails to detect parameters with a different number of reflections and some difficult cases.
Feel free to suggest other tools and endpoints in telegram or twitter. If you believe you found a mistake in the data - compare the versions of your tools with the tested versions and make sure you run the tool at least 3-4 times because sometimes results can be different each run. If the version of tools is correct and the main part of tries gives you different results - write to me.