Arjun

Arjun

Admin
July 05, 2025
64 views
Tool

HTTP Parameter Discovery Suite



🔎What is Arjun?

Arjun is a powerful command-line tool used in web security testing. It’s designed to find HTTP parameters (GET & POST) in web applications by fuzzing endpoints. Essentially, it helps bug bounty hunters, penetration testers, and security researchers discover hidden or undocumented parameters that could lead to vulnerabilities like SQLi, XSS, or IDOR.

Arjun is this super handy tool that helps you find hidden query parameters in URL endpoints. Don’t worry if that sounds confusing.

When websites or APIs take input through URLs, they often do it with parameters. For example, you might see something like:

http://example.com/v1/userinfo?id=751634589

This URL shows details about a user with the ID 751634589. But what if there’s a secret parameter like admin=true that, when added, reveals even more sensitive info? That’s where Arjun comes in it automatically tries thousands of possible parameters (like 25,890 of them!) to see which ones the endpoint actually responds to. And the best part? It’s crazy fast it can churn through all those potential parameters in under 10 seconds by only making 50-60 requests. Pretty cool, right?

❓Why use Arjun?

Because many modern applications have hidden parameters that aren’t documented or visible in the front-end but are processed on the server side. Finding them manually is time-consuming. 
Arjun automates this process, helping you:

  • Discover attack surface area.
  • Save time in reconnaissance.
  • Identify parameters others might miss.
  • Increase chances of finding critical vulnerabilities.
  • Improve coverage in bug bounty or security assessments.

 

⚙️ Installation

Arjun is written in Python and can be installed easily:

# Clone the repository
git clone https://github.com/s0md3v/Arjun.git
cd Arjun

# Install dependencies (Python 3 required)
pip install -r requirements.txt

# Or install directly using pip
pip install arjun

# Then you can run it with:
python3 arjun.py -h


Note: If you install with pip, you may use arjun directly.

 

⚡️5 Useful Things You Can Do with Arjun

1️⃣ Find GET parameters on a single URL

arjun -u https://example.com/page.php

This scans the URL for possible GET parameters.

2️⃣ Find POST parameters on a URL

arjun -u https://example.com/submit.php -m POST

Use -m POST to tell Arjun to test POST requests.

3️⃣ Scan multiple URLs from a file

arjun -i urls.txt

Where urls.txt contains one URL per line.

4️⃣ Output results to a file

arjun -u https://example.com/page.php -o found-params.txt

Saves discovered parameters into found-params.txt for later analysis.

5️⃣ Use custom wordlists

arjun -u https://example.com/page.php --get -w custom-wordlist.txt

This lets you test with your own list of parameter names.