1.6 KiB
x8
A hidden parameters discovery suite for identifying vulnerable or interesting web parameters. More information: https://sh1yo.art/x8docs/.
- Check hidden parameters in a URL query:
x8 {{[-u|--url]}} {{https://example.com/}} {{[-w|--wordlist]}} {{path/to/wordlist.txt}}
- Check parameters with a custom query injection point (
%s):
x8 {{[-u|--url]}} {{https://example.com/?something=1%26%s}} {{[-w|--wordlist]}} {{path/to/wordlist.txt}}
- Send parameters via POST body with JSON format:
x8 {{[-u|--url]}} {{https://example.com/}} {{[-X|--method]}} {{POST}} {{[-b|--body]}} {{'{"x":{%s\}\}'}} {{[-w|--wordlist]}} {{path/to/wordlist.txt}}
- Check parameters with a custom template (
%kfor key,%vfor value):
x8 {{[-u|--url]}} {{https://example.com/}} {{[-P|--param-template]}} {{user[%k]=%v}} {{[-w|--wordlist]}} {{path/to/wordlist.txt}}
- Encode parameters for special characters in queries:
x8 {{[-u|--url]}} {{https://example.com/?path=..%2faction.php%3f%s%23}} --encode {{[-w|--wordlist]}} {{path/to/wordlist.txt}}
- Discover hidden headers for a URL:
x8 {{[-u|--url]}} {{https://example.com/}} --headers {{[-w|--wordlist]}} {{path/to/headers.txt}}
- Check multiple URLs in parallel with high concurrency and verify found parameters:
x8 {{[-u|--url]}} {{https://example.com/}} {{https://4rt.one/}} {{[-W|--workers]}} {{0}} -c {{3}} --verify
- Save request and response data for found parameters to a directory:
x8 {{[-u|--url]}} {{https://example.com/}} {{[-w|--wordlist]}} {{path/to/wordlist.txt}} --save-responses {{path/to/output_dir}}