loading
loading
Fuzzing
Find hidden parameters that other hunters miss.
overview
x8 finds hidden query or body parameters by sending candidate names and watching for response differences that reveal interesting or vulnerable params.
Wordlists, methods, delays, and size caps keep the search controlled against rate-limited apps.
Use it on known endpoints after crawling when you suspect undocumented parameters behind a stable path.
source github.com/Sh1Yo/x8
use cases
Brute-force parameter names against a live endpoint and keep only the ones that change the response, exposing inputs the application never advertised.
Switch the injection point to the request body or headers to surface parameters that only take effect on POST, PUT, or in specific headers.
Hand the discovered parameters to a fuzzer or injection scanner so testing targets real, server-honored inputs instead of guessed ones.
Use strict comparison and the verify pass so reported parameters are confirmed against a baseline, not artifacts of a noisy page.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| max | STRING | --max | Change the maximum number of parameters per request. (default is <= 256 for query, 64 for headers and 512 for body) |
| url | STRING | --url | You can add a custom injection point with %s. Multiple values are supported: https://url1 http://url2 |
| body | STRING | --body | Example body: '{"x":{%s}}' |
| http | STRING | --http | HTTP version. Supported versions: --http 1.1, --http 2 |
| port | STRING | --port | Port to use with request file |
| test | BOOLEAN | --test | Prints request and response |
| delay | STRING | --delay | Delay between requests in milliseconds [default: 0] |
Showing key inputs. x8 exposes 46 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| max | STRING | --max | Change the maximum number of parameters per request. (default is <= 256 for query, 64 for headers and 512 for body) |
| url | STRING | --url | You can add a custom injection point with %s. Multiple values are supported: https://url1 http://url2 |
| body | STRING | --body | Example body: '{"x":{%s}}' |
| http | STRING | --http | HTTP version. Supported versions: --http 1.1, --http 2 |
| port | STRING | --port | Port to use with request file |
| test | BOOLEAN | --test | Prints request and response |
| delay | STRING | --delay | Delay between requests in milliseconds [default: 0] |
| force | BOOLEAN | --force | Force searching for parameters on pages > 25MB. Remove an error in case there's 1 |
| proto | STRING | --proto | Protocol to use with request file (default is "https") |
| proxy | STRING | --proxy | Proxy |
| encode | BOOLEAN | --encode | Encodes query or body before making a request, i.e & -> %26, = -> %3D |
| invert | BOOLEAN | --invert | By default, parameters are sent within the body only in case PUT or POST methods |
| joiner | STRING | --joiner | How to join parameter templates. Example: --joiner '&'. Default: urlencoded - '&', json - ', ', header values - '; ' |
| method | STRING | --method | Multiple values are supported: -X GET POST |
| strict | BOOLEAN | --strict | Only report parameters that have changed the different parts of a page |
| verify | BOOLEAN | --verify | Verify found parameters. |
| headers | STRING | -H | Example: 'one:one' 'two:two' |
| request | FILE | --request | The file with the raw http request |
| timeout | STRING | --timeout | HTTP request timeout in seconds. [default: 15] |
| verbose | STRING | --verbose | Verbose level 0/1/2 [default: 1] |
| workers | STRING | --workers | The number of concurrent url checks. [default: 1] |
| split-by | STRING | --split-by | Split the request into lines by the provided sequence. By default splits by \r, \n and \r\n |
| url-list | FILE | --url | You can add a custom injection point with %s. Multiple values are supported: https://url1 http://url2 |
| wordlist | FILE | --wordlist | -w, --wordlist <wordlist> |
| data-type | STRING | --data-type | -t, --data-type <data-type> |
| concurrency | STRING | -c | The number of concurrent requests per url [default: 1] |
| replay-once | BOOLEAN | --replay-once | If a replay proxy is specified, send all found parameters within one request. |
| check-binary | BOOLEAN | --check-binary | Check the body of responses with binary content types |
| remove-empty | BOOLEAN | --remove-empty | Skip writing to file outputs of url:method pairs without found parameters |
| replay-proxy | STRING | --replay-proxy | Request target with every found parameter via the replay proxy at the end. |
| custom-values | STRING | --custom-values | Values for custom parameters (default is "1 0 false off null true yes no") |
| mimic-browser | BOOLEAN | --mimic-browser | Add default headers that browsers usually set. |
| output-format | STRING | --output-format | standart, json, url, request [default: standart] |
| disable-colors | BOOLEAN | --disable-colors | Disable colors |
| learn-requests | STRING | --learn-requests | Set the custom number of learn requests. [default: 9] |
| param-template | STRING | --param-template | %k - key, %v - value. Example: --param-template 'user[%k]=%v'. Default: urlencoded - <%k=%v>, json - <"%k":%v>, headers - <%k=%v> |
| reflected-only | BOOLEAN | --reflected-only | Disable page comparison and search for reflected parameters only. |
| recursion-depth | STRING | --recursion-depth | Check the same list of parameters with the found parameters until there are no new parameters to be found. Conflicts with --verify for now. |
| disable-trustdns | BOOLEAN | --disable-trustdns | Can solve some dns related problems |
| follow-redirects | BOOLEAN | --follow-redirects | Follow redirections |
| progress-bar-len | STRING | --progress-bar-len | [default: 26] |
| custom-parameters | STRING | --custom-parameters | Check these parameters with non-random values like true/false yes/no (default is "admin bot captcha debug disable encryption env show sso test waf") |
| one-worker-per-host | BOOLEAN | --one-worker-per-host | Multiple urls with the same host will be checked one after another, |
| disable-progress-bar | BOOLEAN | --disable-progress-bar | Disable progress bar |
| disable-additional-checks | BOOLEAN | --disable-additional-checks | Disable additional checks |
| disable-custom-parameters | BOOLEAN | --disable-custom-parameters | Do not automatically check parameters like admin=true |
example
# x8: mine hidden parameters on an endpointx8 --url 'https://api.example.com/v1/user' --wordlist params.txt --max 30[+] debug (reflected)[+] admin (length +412)[+] include (status 500)[+] source (reflected)[+] preview (length +88)[+] format (body changed)guidance
Use x8 when you need to find hidden parameters on known endpoints with high accuracy. To brute-force paths and files rather than parameters, use a content-discovery tool such as ffuf. To fuzz parameter values for vulnerabilities, pair it with a downstream injection scanner.
Another hidden parameter finder. x8 leans on full page comparison for accuracy across query, body, and headers.
General web fuzzer for paths and values. Use it to fuzz the parameters x8 discovers, not to find them.
faq
related
Website directory and file brute forcing at extreme scale.
A fast web fuzzer written in Go.
A fast web fuzzer written in Go, wired to run across a list of target URLs.
A fast web fuzzer written in Go, run across a URL list with folder output.
A fast web fuzzer written in Go.
A fast web fuzzer written in Go, packaged for virtual host discovery.
A URL and a wordlist feed x8, which compares responses to confirm which hidden parameters the server honors and writes them as a queryable output.
Facts on this page come from the live Trickest tool library.