x8 Cheat Sheet
Hidden parameter discovery via response status, body, and reflection diffing.
Overview
x8 finds hidden GET/POST parameters by comparing HTTP responses when candidate parameters are added. Useful on APIs and minimal endpoints where Arjun wordlists miss custom names.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
Rust implementation (common)
cargo install x8Essential commands
Discover GET parameters
x8 -u "https://target.example/api" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txtPOST body parameters
x8 -u "https://target.example/login" -X POST -b "user=admin&pass=test" -w params.txtCommon workflows
JSON API hidden fields —
x8 -u "https://target.example/v1/user" -X POST -H "Content-Type: application/json" -b '{"id":1}'-w params.txt --body-jsonCustom headers as parameters —
x8 -u "https://target.example/" -H "Cookie: session=abc" --headers wordlist_headers.txtOutput for further testing —
x8 -u "https://target.example/page" -w params.txt -o found_params.txtFlags reference
-u URL | Target URL |
|---|---|
-w FILE | Parameter wordlist |
-X METHOD | HTTP method |
-b BODY | Request body template |
-H HEADER | Header line |
-t N | Threads |
--delay MS | Delay between requests |
-o FILE | Output discovered params |
--proxy | HTTP proxy |
--body-json | Treat body as JSON |
-x | Extensions / content types (version-specific) |
Tips
- Use a focused wordlist first; full SecLists runs are slow on large apps.
- Combine with Arjun: x8 for diff-based discovery, Arjun for broader wordlist coverage.
- Watch for WAF rate limits—lower threads and add --delay.
- Validate each discovered parameter in Burp Repeater for business logic impact.