Parameter discovery tools comparison

Thu, Jul 1, 2021 4-minute read

Some people asked me about publishing a comparison between x8 and other major tools for parameter discovery: Arjun and Param Miner, so here it is!

Parameter discovery tools help to find parameters that can be vulnerable or able to reveal some hidden features. In this post, I am going to check the speed and accuracy of these tools. For tests, I used a wordlist with 26k parameters. If you don’t have time to read the whole post - you can go directly to the summary at the end of a page.

Tools

x8 v2.0.0

Used –disable-custom-parameters flag because none of the other testing tools has this functionality.

arjun v2.1.3

Used -c 256 flag because the initial amount of parameters per request is too huge and some pages ignore the rest of the parameters or throw some errors. Also, I modified error_handler.py:29 because it causes the tool to stop on 400 HTTP code.

param miner v1.28

Used disable origin cachebuster, disable basic wordlist, force bucketsize = 256 (sometimes works very bad and sends 6-12 parameters per request), disable response (this flag allows the tool to search parameters in every response. I don’t like it because sometimes it increases the number of requests by a few times), use custom wordlist flags.
Default request:

GET /PATH HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
Accept-Charset: utf-8, iso-8859-1;q=0.5, *;q=0.1
Accept-Language: en-US, *;q=0.5
Accept: */*

Targets

To perform the comparison I chose my test domain and a few popular domains like google.com, yandex.ru, github.com, youtube.com, then I ran a crawler on these domains and selected the most interesting paths.
Some info about custom targets: 4rt.one and 4rt.one/json contain a lot of different parameters that, I believe, can cover most of the real-life cases.

Results

Accuracy

The next tables show the statistic across 10 endpoints.

Parameters found by every tool and how many requests did it take

x8 requests parameters
4rt.one 231 admin, copy, email, facebook, test, z
* 4rt.one/json?filename=sth 104 email, role, tag, username
www.google.com 217
37 parameters ad, client, complete, cr, dnr, domains, gc, gcs, gl, gll, gm, gpc, gr, h, host, hq, imgtype, imgurl, interests, lr, lsf, pws, q, query, rcu, rls, rlz, sab, si, sie, sky, sz, tbm, tnm, ur, v, w
www.google.com/services 147 rs, sqp
www.google.com/advanced\_search 156 as\_epq, as\_eq, as\_filetype, as\_nhi, as\_nlo, as\_oq, as\_q, as\_sitesearch, cr, q, query, tbm
yandex.ru/company 165 from, tag
github.com/about 148 page, q, return\_to, utm\_campaign, utm\_medium, utm\_source, utm\_term
www.youtube.com/about/ 147 rs, sqp
www.youtube.com/t/terms 130 auth
www.youtube.com/new 156 auth, bp, cbr, cos, pbj, spf
arjun reqs parameters
4rt.one 167 z, facebook, test, email
* 4rt.one/json?filename=sth infinity loop of requests
www.google.com 119 tbm
www.google.com/services 135 rs, sqp
www.google.com/advanced\_search 124 tbm
yandex.ru/company 103
github.com/about 133 page, id
www.youtube.com/about/ 133 rs, sqp
www.youtube.com/t/terms 106 auth
www.youtube.com/new 105
param miner reqs parameters
4rt.one 372 copy, test, z
* 4rt.one/json?filename=sth 132 email, tag, username
www.google.com 1178 ad, client, complete, cr, domains, tbm, tnm, lr, pws, rcu, rlz, tnm, ur
www.google.com/services 255 rs, sqp
** www.google.com/advanced\_search 429 as\_epq, as\_eq, as\_filetype, as\_nhi, as\_nlo, as\_oq, as\_q, as\_sitesearch, cr, q, query, tbm
yandex.ru/company 294 from, tag
github.com/about 132
www.youtube.com/about/ 253 rs, sqp
www.youtube.com/t/terms 179 auth
www.youtube.com/new 292 auth, bp

* - send parameters via json body. 512 parameters per request
** - as_parameters were manually added to the list because I disabled searching words in the response

Average number of requests needed for 1 parameter

tool requests per parameter
x8 54
arjun 85
param miner 118

I removed www.google.com/ from the count in this and the second table because 45% of the parameters were found there.

Missing parameters

tool Count %
x8 1 2
arjun 29 70
param miner 16 36

Speed

The next table represents a speed of each tool. Target used - 4rt.one/load?size=n on localhost. I am making comparisons on my laptop with:
OS: 5.12.9-arch1-1
CPU: Intel i3-7020U

tool size=10(300kb) size=25(750kb) size=50(1500kb) speed
* ** x8 10.144s 22.232s 44.784s 1
x8 7 threads 9.360s 22.085s 44.288s
arjun 14.174s 28.956s 52.904s 0.8
arjun 7 threads 13.161s 28.821s 53.768s
param miner 10s 37s 61s 0.71

*** - Force 256 parameters per request as well as in other tools.

Summary

# tool requests per parameter accuracy speed
1 x8 54 98% 1
2 param miner 118 64% 0.71
3 arjun 85 30% 0.8

Final thoughts & conclusion

Anyway, some stats can be very inaccurate due to the small number of test endpoints and the inability to know the exact number of parameters, but yet they are able to show a rough picture. Most of the time param miner and arjun fails to detect parameters with a different number of reflections and some difficult cases.

Feel free to suggest other tools and endpoints in telegram or twitter. If you believe you found a mistake in the data - compare the versions of your tools with the tested versions and make sure you run the tool at least 3-4 times because sometimes results can be different each run. If the version of tools is correct and the main part of tries gives you different results - write to me.