loading
loading
Discovery
Find All Parameters: crawl pages, find potential parameters, and generate a custom parameter wordlist.
overview
fallparams crawls a target's pages and harvests every string that looks like a parameter, then writes them out as a custom wordlist tailored to that application. Instead of fuzzing with a generic parameter list, you get names the app itself exposes, which makes the next stage faster and the hits more relevant.
It works from a single URL, a file of URLs, a stored requests directory for offline analysis, or a raw HTTP request file. Crawling can go several levels deep, run through a proxy, and even use a headless browser to catch parameters that only appear after JavaScript runs. Length filters and threading control the size and speed of the run.
On Trickest, fallparams is a Discovery node that takes a URL or list and writes a file and a folder. Its output is a parameter wordlist, so chain it before a parameter fuzzer like x8 or ffuf to test the discovered names for injection and access-control flaws.
use cases
Crawl a target so the resulting wordlist holds the parameter names the application itself exposes, instead of a generic list full of misses.
Run with a headless browser so parameters that appear only after JavaScript executes get captured alongside the static ones.
Point it at a directory of saved requests and responses to extract parameters without sending any traffic to the target.
Feed the generated wordlist into x8 or ffuf so the fuzzing stage tests realistic names for injection, IDOR, and hidden functionality.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -url | Input URL to analyze for parameters. |
| urls | FILE | -url | Input URLs file for processing many targets. |
| crawl | BOOLEAN | -crawl | Crawl pages to extract their parameters. |
| depth | STRING | -depth | Maximum depth to crawl (default 2). |
| headless | BOOLEAN | -headless | Discover parameters with a headless browser. |
| dir | FOLDER | -dir | Stored requests/responses directory for offline analysis. |
| thread | STRING | -thread | Number of threads (default 1). |
| proxy | STRING | -proxy | Proxy URL (SOCKS5 or HTTP), e.g. http://127.0.0.1:8080. |
Showing key inputs. fallparams exposes 18 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| dir | FOLDER | -dir | Stored requests/responses files directory path (offline) |
| url | STRING | -url | Input URL |
| body | STRING | -body | POST data |
| urls | FILE | -url | Input URLs file |
| crawl | BOOLEAN | -crawl | Crawl pages to extract their parameters |
| delay | STRING | -delay | Request delay between each request in seconds |
| depth | STRING | -depth | maximum depth to crawl (default 2) |
| proxy | STRING | -proxy | Proxy URL (SOCKS5 or HTTP). For example: http://127.0.0.1:8080 or socks5://127.0.0.1:8080 |
| header | STRING | -header | Header "Name: Value", separated by colon. Multiple -H flags are accepted. |
| method | STRING | -method | HTTP method to use (default "GET") |
| silent | BOOLEAN | -silent | Disables the banner and prints output to the command line. |
| thread | STRING | -thread | Number Of Threads [Number] (default 1) |
| request | FILE | -request | File containing the raw http request |
| headless | BOOLEAN | -headless | Discover parameters with headless browser |
| max-length | STRING | -max-length | Maximum length of words (default 30) |
| min-length | STRING | -min-length | Minimum length of words |
| crawl-duration | STRING | -crawl-duration | maximum duration to crawl the target |
| disable-update-check | BOOLEAN | -disable-update-check | Disable automatic fallparams update check |
example
# crawl a target two levels deep, including JS-rendered pages, and build a parameter wordlistfallparams -url https://example.com -crawl -depth 2 -headlessidpageqredirectlangreftokencsrfcallback… (custom parameter wordlist written for the real run behind this page)guidance
Use fallparams to mine an application for its real parameter names and emit a custom wordlist before fuzzing. It discovers names, it does not test them, so follow it with x8 or ffuf. For passive URL collection, pair it with gau or katana.
Mines parameters from web archives. Passive and archive-sourced, where fallparams crawls live.
Tests parameters by hidden-parameter discovery. Run it after fallparams on the generated wordlist.
Brute-forces parameters from a built-in list. fallparams instead builds a target-specific list to feed it.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
A URL feeds fallparams, which crawls it into a parameter wordlist that x8 then tests, writing the confirmed parameters as output.
Facts on this page come from the live Trickest tool library.