-
-
Notifications
You must be signed in to change notification settings - Fork 783
How Arjun works?
Two HTTP requests with different query parameters are made to the URL and the response length, number of reflections, response code and other such factors are stored for comparison in later steps.
If any HTML form is found in the response, Arjun extracts field names from it and adds it to parameter name list for further checking.
A huge list of 25,980 parameters name list is loaded and divided into 25 different parts. All the parameter names of a part are sent in a single request with randomly generated values and hence a total of 25 requests are made.
Responses of these requests are compared with the previous data and the parts which didn't cause any change in response are rejected.
Every part which caused deviation in response is divided in two parts, and requests are made with each of them.
The part which doesn't cause any change is again rejected and part which caused change is further divided into two parts. This process is continued until there's just one or no parameters are left in each part. Empty parts are obviously rejected and the single parameter names are marked as valid.
Note: Reflections are tracked separately which means if value of a parameter is found to be reflected, Arjun picks it up and flags it as potentially valid right away.