• Stars
    star
    148
  • Rank 249,983 (Top 5 %)
  • Language
  • License
    Apache License 2.0
  • Created over 4 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Unofficial documentation for the great tool Param Miner

param-miner-doc

Unofficial documentation for the great tool Param Miner by James 'albinowax' Kettle.

Motivation

I've used Param Miner for quite a long time but what many of it's checkboxes do remained a mystery for me. This repo aims to shine some light on purpose and use cases for some non obvious parameters of Param Miner. Information gathered here origins mostly from reading the source code.

Attack Config

Parameter name Description
Add 'fcbz' cachebuster Param Miner adds fcbz=1 URL parameter to every request in order to avoid cache hits.
learn observed words Param Miner extracts words from responses and saves them to current session's parameter wordlist.
only report unique params Don't report the same parameter on multiple endpoints
use basic wordlist Use headers and params wordlists from Param Miner's repo.
use custom wordlist Self explanatory.
bruteforce When wordlists run out, switch to an never-ending raw bruteforce
dynamic keyload ??? This is the hard one - in order to understand it first need to understand how Param Miner works internally. Mostly related to ParamGuesser.addNewKeys function.
max one per host+status ???
enable auto-mine Param Miner will execute launchScan on every response processed at Proxy tab. Think of it like making Param Miner press Guess * buttons on every in-scope request for you. Also without it all other auto-* checkboxes won't take an effect.
auto-mine cookies Automatically launch cookie-guessing attacks based on your proxy traffic
auto-nest params ??? This is the tough one, need further investigation. First it finds the most frequently occuring prefix and then uses it here.
try cache poison When a header is detected, test if it can be used for web cache poisoning attacks
try -_ bypass For every HTTP header with at least one dash Param Miner will replace dashes - with underscores _ and add resulting header to wordlist. Here is good explanation of why this works.
rotation interval ???
force bucketsize Force how many parameters should be tested in a single packet against a single URL
max param length Determines maximum length for params parsed from response. Params with greater length truncated to this limit but not ignored! Note: it doesn't affect params supplied by any of wordlists.

Also when determining a bucket size max param length is used as length of dummy parameters in trial payloads.
Add dynamic cachebuster Automatically add a cache buster to commonly keyed headers in any requests sent through Burp's manual testing tools. Reference: Detecting an unkeyed query string
skip boring words Skip headers from boring_headers wordlist.
response Get words from HTTP response, normalize them and add to current session's parameter wordlist.
use bonus wordlist Use wordlists from Param Miner's repo. Normally used to include functions and words wordlists however if use basic wordlist isn't checked it will also add headers or params according to parameter type.
custom wordlist path Path to user supplied wordlist of parameters. Note: it'll take an effect only when use custom wordlist is checked.
skip uncacheable Skips cookie and header params if no-cache string found in response. Perhaps it's useful if you're looking for cache poisoning attacks and you want to skip responses that won't be cached anyways.
max one per host Related to rate-limiting. Perhaps don't allows to run more than 1 attack against a given host at a time.
scan identified params Run Burp Scanner on identified parameters.
auto-mine headers Automatically launch header-guessing attacks based on your proxy traffic
auto-mine params Automatically launch param-guessing attacks based on your proxy traffic
fuzz detect Appends <a`'"${{\ to input values to try and detect better-hidden params. It's disabled by default because such headers upset various systems including a certain well known social network. Some parameters will be used in a SQL statement or suchlike but not visibly affect the response. Fuzz based detection is trying to cause a backend syntax error to increase the chance of a visible response difference.
try method flip For every non-GET request will use Burp's toggleRequestMethod which can be used to toggle a request's method between GET and POST. Parameters are relocated between the URL query string and message body as required, and the Content-Length header is created or removed as applicable. Finally results in this branch getting executed which tries to identify new parameters by making non-GET requests as GET requests.
thread pool size This sets the maximum number of concurrent attacks.
rotation increment Parameter to limit the overall amount of attack-cycles (per default: 4)
max bucketsize Maximum number of parameters probed in one request. Note that for JSON parameters maximum bucketsize is 256.

Contribution

If you've found a mistake or just want to add something please fill free to create an Issue or even a Pull Request!