loading
loading
Fuzzing
Find URL parameters from the web archives of a domain.
overview
ParamSpider pulls parameterized URLs for a domain from web archives, mining historical pages for query strings that an attacker could test. It covers subdomains as well, and because it reads archived data it never sends a request to the target, which keeps the discovery passive and quiet.
The point is to build a clean list of injectable URLs fast. It can exclude URLs by file extension to drop static assets, dig for nested parameters at a chosen depth, and swap each parameter value for a placeholder so the output is ready to hand to a fuzzer without further cleanup.
On Trickest, ParamSpider takes a domain and writes a file and a folder of parameterized URLs. Use it as the parameter-collection stage feeding an injection tester such as a redirect, XSS, or SQLi fuzzer, so testing runs against URLs that carry parameters.
use cases
Mine a domain's web archives for URLs with query strings, so you get a clean list of injectable endpoints without touching the target.
Leave the subdomain exclusion off so the run covers the domain and its subdomains, widening the parameter set in one pass.
Exclude URLs by extension to strip images, fonts, and scripts, keeping only the dynamic endpoints worth testing.
Use a custom placeholder so each parameter value is marked, handing an injection tester URLs that are ready to fuzz.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| domain | STRING | --domain | Domain to mine for parameters. |
| exclude-subdomain | STRING | --subs | Exclude subdomains; omit to mine the domain and its subdomains together. |
| exclude-url-extension | STRING | --exclude | Exclude URLs with the given file extensions (e.g. png,jpg,css). |
| nested-parameters | STRING | --level | Depth for finding nested parameters (e.g. high). |
| custom-placeholder | STRING | --placeholder | Placeholder that replaces each parameter value (default FUZZ). |
Showing key inputs. paramspider exposes 5 inputs in total.
example
# mine parameterized URLs from archives, drop static assets, mark values with FUZZparamspider --domain example.com --exclude png,jpg,css,woff --level high --placeholder FUZZ[INFO] Fetching URLs for example.com from the Wayback Machine[INFO] Found 214 URLs, extracting parameters[INFO] Output saved to output/example.com.txthttps://example.com/index.php?id=FUZZhttps://example.com/search?q=FUZZ&page=FUZZhttps://api.example.com/v1/user?uid=FUZZhttps://shop.example.com/product?sku=FUZZ&ref=FUZZhttps://example.com/go?redirect=FUZZhttps://blog.example.com/post?year=FUZZ&slug=FUZZguidance
Reach for ParamSpider to build a list of parameterized URLs from archives without touching the target. It finds parameters, it does not test them, so follow it with an injection fuzzer. For active crawling of the live site, use katana or gospider instead.
Pulls all archived URLs, not just parameterized ones. ParamSpider focuses on URLs that carry query parameters.
Discovers parameters by crawling and analysis. ParamSpider sources them passively from archives.
Brute-forces hidden parameters against a live target. ParamSpider mines known ones from history instead.
faq
related
Website directory and file brute forcing at extreme scale.
A fast web fuzzer written in Go.
A fast web fuzzer written in Go, wired to run across a list of target URLs.
A fast web fuzzer written in Go, run across a URL list with folder output.
A fast web fuzzer written in Go.
A fast web fuzzer written in Go, packaged for virtual host discovery.
A domain feeds ParamSpider, which mines parameterized URLs from archives and passes them to dalfox for testing before the results land as output.
Facts on this page come from the live Trickest tool library.