Parameter Discovery Cheat Sheet

Find hidden HTTP parameters and mass-assignment fields with Arjun, Param Miner, x8, ffuf, and wordlist tactics — reflection, status, size, and word-count diffing to surface what the app forgot to document. (44 payloads)

Try it interactively with the API Security Testing Hub

Arjun

(8)

arjun -u https://target.com/api/endpoint

Default GET parameter discovery against a single URL using Arjun's bundled ~25k wordlistArjun infers the page's baseline (status, length, word count) first, then bulk-tests params in chunks and binary-searches any chunk that changes the response.

arjun -u https://target.com/api/endpoint -m POST

Test POST body parameters (-m sets the method: GET, POST, JSON, XML, or headers)Use -m JSON for application/json APIs so candidate params are sent inside a JSON body, not as urlencoded pairs.

arjun -u https://target.com/api/endpoint -m JSON

Discover JSON body params — Arjun submits candidates as a JSON object and diffs the responseEssential for REST/GraphQL-adjacent APIs where urlencoded probing returns identical errors for every key.

arjun -i targets.txt -oT found.txt -t 20

Bulk mode: read URLs from a file, write results to text, 20 concurrent threads-i takes a list of endpoints (e.g. from a crawler); -oJ writes JSON, -oB sends results straight to a Burp instance.

arjun -u https://target.com/page -w params.txt

Use a custom wordlist instead of the built-in one (-w)Pair with technology-specific lists (e.g. SecLists burp-parameter-names.txt) to cut request volume on a known stack.

arjun -u https://target.com/page --headers "Cookie: session=abc; Authorization: Bearer eyJ..."

Probe authenticated endpoints by passing session headersAuthenticated discovery surfaces parameters gated behind login — often the ones controlling IDOR or privilege state.

arjun -u https://target.com/page --stable -d 2 --rate-limit 30

--stable resends to reduce false positives; -d delays between requests; --rate-limit caps requests/secUse on flaky or rate-limited targets where response size jitters and produces noisy diffs.

arjun -u https://target.com/page -m headers

Discover hidden HTTP request headers the backend reacts to (e.g. X-Forwarded-For, X-Original-URL)Header-mode finds debug/ACL-bypass headers that change behavior without appearing in any normal request.

Param Miner (Burp)

(7)

Right-click request -> Guess query parameters

Param Miner extension brute-forces hidden GET parameter names against the selected requestResults land in the Burp issue/log pane; it uses a built-in 65k+ param list plus bucketing to find reflected/behavior-changing names.

Right-click request -> Guess body parameters

Brute-force hidden POST body parameter namesRespects the request's existing Content-Type, so it probes urlencoded vs JSON bodies appropriately.

Right-click request -> Guess headers

Find unkeyed/hidden request headers — the original tool for unkeyed-input cache poisoning researchDetecting a reflected, unkeyed header (e.g. X-Forwarded-Host) is the entry point for web cache poisoning.

Param Miner -> Settings -> 'add cachebuster'

Append a unique cachebuster param to every probe so a CDN doesn't serve cached responses during discoveryWithout it, a caching layer returns identical responses and Param Miner reports zero findings on a CDN-fronted site.

Param Miner -> 'Bulk scan' -> selected requests

Run guessing across many proxied requests at once for full-scope coverageFeed it the whole site map after a crawl to mine every endpoint in one pass.

Param Miner -> 'rare headers' / 'fcbz cachebuster' wordlists

Switch to curated wordlists for headers vs parameters to tune signal/noiseCustom lists go in the extension's word-list field; smaller targeted lists drastically reduce request count.

Identify reflected param via 'identify which part of the request the param is reflected in'

Param Miner can pinpoint where a discovered param surfaces (body, header, redirect) to triage impact fastA param reflected into a Location header or HTML sink immediately suggests open-redirect or XSS follow-up.

ffuf & x8 Hidden Param Fuzzing

(7)

ffuf -u 'https://target.com/page?FUZZ=test' -w params.txt -fs 4242

Fuzz GET parameter names; baseline-filter by the default response size to surface the ones that differFirst run with no filter to learn the baseline size, then add -fs to hide it so only behavior-changing params remain.

ffuf -u 'https://target.com/page?FUZZ=test' -w params.txt -mr 'test'

Match-regex on the injected value — finds parameters that reflect their input into the responseReflection-based discovery is the most reliable signal: a param echoing 'test' back is real and likely a sink.

ffuf -u https://target.com/page -X POST -d 'FUZZ=test' -H 'Content-Type: application/x-www-form-urlencoded' -w params.txt -fw 12

Fuzz POST body parameter names, filtering by word count to ignore the constant baseline-fw (word count) is often more stable than -fs when responses contain small dynamic timestamps.

ffuf -u https://target.com/page -X POST -d '{"FUZZ":"test"}' -H 'Content-Type: application/json' -w params.txt -fc 400

JSON body param fuzzing — filter out the 400/validation status returned for unknown keysWhen a missing-key error gives 400 and an accepted key gives 200, -fc 400 isolates valid params instantly.

x8 -u https://target.com/page -w params.txt

x8: a discovery tool built specifically to detect hidden params via concurrent diffing and noise filteringx8 batches many params per request and shrinks the set on any change, so it is far faster than one-param-per-request.

x8 -u https://target.com/page -X POST -b '{"key":"value"}' -w params.txt --param-template '{"%k":"%v"}'

x8 against a JSON body using a template so candidate keys are injected with correct structure--param-template lets x8 mine nested or typed JSON bodies that simple urlencoded probing would miss.

x8 -u https://target.com/page -w params.txt --headers 'Authorization: Bearer eyJ...' --output found.txt

Authenticated x8 run with custom headers and saved outputx8 reports which params changed status, length, or reflection, classifying the likely impact of each hit.

Wordlists & Sources

(7)

SecLists/Discovery/Web-Content/burp-parameter-names.txt

~2.5k common parameter names extracted from Burp — the default go-to short listFast, high-hit-rate list for a first pass before escalating to larger or tool-bundled lists.

Arjun's db/params.txt (~25k) / Param Miner bundled lists (~65k)

The large built-in lists that ship with the discovery tools — broad coverage at higher request costReserve the big lists for high-value endpoints; on a CDN-cached target add a cachebuster or they waste requests.

Mine the app's own JS: grep -roE '[?&][a-zA-Z0-9_]+=' app.js | sort -u

Extract parameter names referenced in client-side JavaScript — the most relevant wordlist is the target's own codeTools like LinkFinder, getJS, or a JS scanner pull URLs and param names straight from bundled scripts.

gau target.com | unfurl -u keys | sort -u

Harvest historic parameter keys from Wayback/Common Crawl/OTX via gau, then extract just the keys with unfurlArchived URLs reveal deprecated-but-still-wired params that no longer appear in the live UI — prime hidden-param hunting ground.

paramspider -d target.com

ParamSpider crawls web archives for a domain and outputs every URL containing parametersFeed its output to arjun -i or x8 to validate which archived params still trigger backend behavior.

katana -u https://target.com -jc -kf all | grep '?'

Active crawl with Katana (JS crawling + known-files) to enumerate live parameterized URLsActive crawling catches params the archives never saw — e.g. those built dynamically by SPA routing.

Build a custom list from API docs / Swagger: jq '.paths' openapi.json

Pull documented parameter names from an OpenAPI/Swagger spec, then test for the undocumented siblingsDocumented params hint at naming conventions (snake_case, isAdmin vs is_admin) — generate variants to find hidden ones.

Mass Assignment Hunting

(8)

PUT /api/users/me {"name":"x","role":"admin"}

Add a privilege field the form never exposed — if the ORM binds it, you escalate (classic mass assignment / auto-binding)Frameworks that auto-map request keys to model attributes (Rails, Spring, Laravel, Sequelize) are vulnerable when binding isn't allowlisted.

PATCH /api/account {"email":"[email protected]","isAdmin":true,"verified":true,"balance":99999}

Inject multiple sensitive boolean/numeric fields at once and diff which stick after the updateRead the object back via its GET endpoint to confirm a field was actually persisted, not just silently ignored.

POST /api/users {"username":"x","id":1,"organizationId":2,"tenantId":"victim"}

Override server-assigned identity/tenant fields to create cross-tenant or pre-chosen-ID objectsSetting id/foreign keys at creation time can let you collide with or attach to another tenant's records.

Compare GET response keys vs accepted POST/PUT keys

Diff every field the object returns on read against what the write endpoint documents — extras are mass-assignment candidatesIf GET /user shows role, credits, emailVerified but the edit form only sends name, those read-only fields are prime targets.

Nested override: {"user":{"profile":{"role":"admin"}}} or user[role]=admin

Try nested-object and bracket notations — binders often recurse into nested/array structures the allowlist forgotRails strong params and similar guards frequently allowlist top-level keys but miss nested hashes.

Type-juggle the flag: "isAdmin":1 / "true" / "on" / [true]

If a strict boolean is rejected, retry coerced types — loose backends accept 1, "true", "on", or array-wrapped truthy valuesValidation that only checks `=== true` while the ORM cast()s loosely is a common bypass.

Submit discovered hidden params back as write fields

Take param names found via Arjun/x8 and feed them into create/update bodies — discovery and mass assignment compoundA hidden 'debug', 'admin', or 'price' param surfaced during discovery is often the exact lever for mass assignment.

Burp Intruder: brute privilege field names against PATCH, watch for role/state change

Automate mass-assignment hunting by fuzzing sensitive key names into a known-good update requestUse a privilege-field wordlist (admin, role, is_staff, scopes, permissions, plan, credits) and diff the readback.

Detection & Triage

(7)

Baseline first: capture status, Content-Length, and word count of a request with a junk param

Establish the 'no-such-param' response so every real hit can be measured as a deviation from itSend ?notaparam=canary123 and record the response — that triple (status/size/words) is your filter for all tools.

Reflection check: inject a unique canary value and grep the response for it

A parameter whose value is echoed back is confirmed live and is also a candidate XSS/SSTI/open-redirect sinkUse a distinctive token like zqx9c so you don't false-positive on the word 'test' appearing naturally.

Status-code shift: 200 -> 302/500/403 when a param is supplied

A different status with the param present signals the backend now branches on itA 500 often means the value hit unvalidated logic — promising for injection; a 302 may indicate a redirect/auth path.

Length/word-count delta even with identical status

Same 200 but a different response size means the param altered output — a quietly accepted hidden fieldffuf -fw / -fs and Arjun's word-count diffing exist precisely to catch these silent content changes.

Timing oracle: param that changes response time (e.g. triggers a DB query)

A parameter that consistently slows the response is doing work server-side — flag for blind injection testingPair with --rate-limit and multiple samples so network jitter doesn't masquerade as a timing signal.

Beware cache & WAF noise: add a cachebuster, throttle, and re-test hits twice

CDN caching and WAF rate responses both fabricate or hide diffs — confirm every finding with a clean, stable resendArjun's --stable and Param Miner's cachebuster option are the built-in answers to these false positives.

Confirm impact, don't just report names: chain the param into IDOR/LFI/SSRF/SSTI tests

A discovered param is only a lead — prove it reaches a dangerous sink before calling it a vulnerabilityHidden file/path/url/id params are the usual gateways to path traversal, SSRF, and object-reference abuse.

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

IDOR Cheat Sheet API Security Cheat Sheet ffuf Web Fuzzer Cheatsheet Business Logic Cheat Sheet

Frequently asked questions

What is the Parameter Discovery Cheat Sheet?+

It's a quick-reference collection of 44 Param Discovery payloads for testing Parameter Discovery vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Param Discovery payloads?+

Copy any payload straight into your authorized test, or use the API Security Testing Hub to apply them interactively. Only test systems you have explicit permission to assess.

Are these Param Discovery payloads free to use?+

Yes — this cheat sheet and all Param Discovery payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Parameter Discovery Cheat Sheet?+

How do I use these Param Discovery payloads?+

Copy any payload straight into your authorized test, or use the API Security Testing Hub to apply them interactively. Only test systems you have explicit permission to assess.

Are these Param Discovery payloads free to use?+

Yes — this cheat sheet and all Param Discovery payloads are completely free, with no account required. Everything runs in your browser.

Parameter Discovery Cheat Sheet

Arjun

Param Miner (Burp)

ffuf & x8 Hidden Param Fuzzing

Wordlists & Sources

Mass Assignment Hunting

Detection & Triage

Related Tools

Related Cheat Sheets

Frequently asked questions

Parameter Discovery Cheat Sheet

Arjun

Param Miner (Burp)

ffuf & x8 Hidden Param Fuzzing

Wordlists & Sources

Mass Assignment Hunting

Detection & Triage

Related Tools

Related Cheat Sheets

Frequently asked questions