Install and Use ParamSpider (a parameter miner)
In this blog, we are going to see how to install and use the ParamSpider. A tool to mine parameters on a website.
ParamSpider is a python script which is used to find parameters from web archives of the domain. Also it could mine parameters from the subdomains as well.
Lets see how to get it installed and its usage. It might be useful for your bug hunting journey.
Everything is in the github page of the tool, this is just a simple guide. You can also follow it up from the github page.
Finds parameters from web archives of the entered domain. Finds parameters from subdomains as well. Gives support to…
First lets clone the repository,
git clone https://www.github.com/devanshbatham/ParamSpider
Then we can move on to the directory to view the contents,
There is a requirements.txt file which specifies the modules needed to run the script. Lets take a look at it.
If you have these python modules installed, go ahead and skip the following step, but it doesn’t hurt to run the commands though you have these installed.
pip install -r requirements.txt
If you want to install it to /usr/lib/python3.x run it using sudo , it will be accessible by all users, without sudo, it will be installed to the ~/.local/python3.x directory, accessible only to the user that installed it.
And yeah, everything is set and now we may run the python script.
This shows the usage of the tool and some additional options, lets see more of the options.
python3 paramspider.py -h
Lets test run it against google.com
python3 paramspider.py -d google.com
This produces a lot of output.
Wow, This script is amazing, it found 731 results, and look at the beauty of the output. the parameter is already appended with FUZZ, so you can directly use the output to fuzzers like wfuzz, ffuf etc..,
By default, the output is saved to output directory, created by the script and the file name as the domain name that we provided.
You can manipulate these using the -o option to put custom name, also you could exclude certain extensions from being displayed using the -e <extension> option.
This script offers a lot, its time for you to explore it. Go ahead.
Thanks for reading. Hope you learned something.
If you have any problems, please watch the video