Arjun Cheat Sheet
HTTP parameter discovery tool for finding hidden GET and POST parameters.
Overview
Arjun discovers valid HTTP parameters on endpoints using wordlists and response diffing. Feed results to Dalfox, sqlmap, or manual testing on authorized targets.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
pip install arjunor
pipx install arjunEssential commands
GET parameter discovery
arjun -u https://target.example/searchPOST JSON endpoint
arjun -u https://target.example/api/user -m POST -c "application/json"Common workflows
Discover and pipe to other tools —
arjun -u https://target.example/profile -oT arjun_params.txtcat arjun_params.txt | while read p; dodalfox url "https://target.example/profile?${p}=test"doneStable mode and custom wordlist —
arjun -u https://target.example/page -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txtarjun -u https://target.example/page --stableMultiple URLs from file —
arjun -i urls.txt -oJ arjun_out.jsonWith headers and cookies —
arjun -u https://target.example/api -H "Authorization: Bearer TOKEN" --cookies "session=abc"Flags reference
-u URL | Target URL |
|---|---|
-i FILE | Input URL list |
-m METHOD | HTTP method (GET, POST, JSON) |
-w FILE | Wordlist |
-c TYPE | Content-Type for POST |
-H HEADER | Custom header |
--cookies | Cookie string |
-t N | Threads |
-d DELAY | Delay between requests |
-oT FILE | Text output |
-oJ FILE | JSON output |
--stable | Reduce false positives |
--include | Include default wordlist |
Tips
- Hidden parameters often include debug, admin, role, redirect, next—verify with Repeater.
- Use --stable on noisy apps that return variable page sizes.
- Rate-limit (-d) on production to respect scope rules.
- JSON APIs: use -m POST with -c application/json and template body if required.