finds.dev← search

// the find

s0md3v/Arjun

★ 6,346 · Python · AGPL-3.0 · updated Feb 2025

HTTP parameter discovery suite.

Arjun discovers hidden HTTP parameters by fuzzing endpoints with a 25,890-word dictionary derived from CommonCrawl, SecLists, and param-miner. It uses a binary-search-style chunking approach to find valid parameters in ~50-60 requests rather than one per parameter. Primarily a recon tool for pentesters and bug hunters.

The chunking algorithm is the real sell — testing 25k parameter names in under 10 seconds by sending batches and narrowing down anomalies is genuinely clever. It covers all four common body formats (query string, form POST, JSON, XML), which most similar tools miss. BurpSuite import/export makes it slot naturally into existing pentest workflows. The wordlist sourcing from CommonCrawl gives it real-world coverage that manually assembled lists can't match.

Last commit was February 2025 and before that activity was sparse — this project moves slowly for a tool in an area where targets evolve constantly. The passive JS parameter extraction is a plugin afterthought with no documentation on how well it actually works or what it covers. No support for headers-as-parameters or cookie fuzzing, which matters for modern APIs that bury state there. Rate-limit handling is described as automatic but there's no documentation on what that means — blind trust in a fuzzing tool's politeness is a bad habit.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →