A Newbie’s Guide To Bug Bounty Hunting: Navigating the world of finding parameters and parameter brute forcing

Welcome back to my blog, where I share my experiences as a cybersecurity enthusiast and bug bounty hunter. As you may recall from my previous post, I am currently in the reconnaissance phase of bug bounty hunting, where I gather as much information about a target as possible before moving on to exploitation.

In today’s post, I will be sharing the tools that I use in this journey and how I use them. My previous blog covered how I used Project Discovery’s Chao website to easily find subdomains, and how I used the tool httpx to check for subdomains that are alive, remove false positives, and check the tech stack of a website. Today, I will be discussing how I use two Python tools, paramspider and arjun, to find and brute force parameters.

First, I opened my terminal on my Linux machine and went to the paramspider git repository on Github using Firefox. I then cloned the repository onto my system, and changed the directory to the folder where it was downloaded. I installed the requirements for the tool to work using the command “pip3 install -r requirements.txt”. To use the tool, I simply used the command “python3 paramspider.py -d example.com” in the same directory. This gave me all the parameters of the website and the ability to fuzz them for different vulnerabilities. The tool also saved an output file for me to look at in the exploitation phase.

Another tool that I use for a similar purpose is arjun. It was a similar process to install, but it seemed simpler. I installed it using the command “pip3 install arjun”, and it was installed. However, I faced another roadblock when I wanted to display the help menu in the terminal using the command “arjun - -help”, it gave me an error. I had skipped a process where I was supposed to set the tool up after installing it. I realized that I could install it using the command “sudo apt install arjun” because it was in the Kali Linux tools repository. Once I had set it up properly, I was able to use the tool by using the command “arjun -u https://example.com" in the terminal. This gave me some parameters, and I used the command line tool CURL (Client URL) to check the behaviour of the URLs in the terminal when I send or received a request using the command “curl https://example.com/?parameter". The coolest part about the tool arjun is that you can use a word list and it uses a default word list to brute force parameters and a variety of flags to specify what you want to do with the tool.

In conclusion, my journey in bug bounty hunting and cybersecurity is constantly evolving, and I hope you enjoyed following along. Until we meet again, happy reading!