Skip to content
Somdev Sangwan edited this page Nov 16, 2023 · 16 revisions

Scan a single URL

Option: -u

Run Arjun against a single URL.

arjun -u https://api.example.com/endpoint

Specify HTTP method

Option: -m

Arjun looks for GET method parameters by default. All available methods are: GET/POST/JSON/XML

arjun -u https://api.example.com/endpoint -m POST

Import targets

Option: -i

Arjun supports importing targets from BurpSuite, simple text file and raw request files. Arjun can automatically identify the type of input file so you just need to specify the path.

arjun -i targets.txt

Note: Uncheck the "base64" option while exporting items in Burp Suite.

Export result

Option: -oJ/-oB/-oT

You can export the result to BurpSuite or a txt/JSON file by using the respective option.

arjun -u https://api.example.com/endpoint -oJ result.json
-oJ result.json
-oT result.txt
-oB 127.0.0.1:8080

Specify injection point

Arjun can detect parameters in a specified location when using JSON or XML method parameters by default. All available methods are: GET/POST/JSON/XML

arjun -u https://api.example.com/endpoint -m JSON --include='{"root":{"a":"b",$arjun$}}'

OR

arjun -u https://api.example.com/endpoint -m XML --include='<?xml><root>$arjun$</root>'

Multi-threading

Option: -t

Arjun uses 2 threads by default but you can tune its performance according to your network connection and target allowance.

arjun -u https://api.example.com/endpoint -t 10

Delay between requests

Option: -d

You can delay the request by using the -d option but it will also set the number of threads to 1.

arjun  -u https://api.example.com/endpoint -d 2

Request timeout

Option: -T

You can specify the timeout for HTTP requests with the -T option, default is 15.

arjun  -u https://api.example.com/endpoint -T 10

Handle rate limits

Option: --stable

--stable sets the number of threads to 1 and introduces a random delay of 6 to 12 seconds between requests.

arjun  -u https://api.example.com/endpoint --stable

Include persistent data

Option: --include

Let's say you have an API key that you need to send with every request, to tell Arjun to do that you can use the --include option as follows:

arjun  -u https://api.example.com/endpoint --include 'api_key=xxxxx'

OR

arjun  -u https://api.example.com/endpoint --include '{"api_key":"xxxxx"}'

To include multiple parameters, use & to separate them or pass them as a valid JSON object.

Custom wordlist

Option: -w

You can specify the path to your own wordlist with this option. Arjun comes with 3 word-lists out-of-the-box which can be used as -w small|medium|large, self-explanatory.

arjun -u https://api.example.com/endpoint -w /path/to/wordlist.txt

Control query/chunk size

Option: -c

By default, Arjun includes 500 parameters in the request which can sometimes exceed the maximum URL length limit for some servers. You can handle such cases with the -c option by specifying the number of parameters to be sent at once.

arjun -u https://api.example.com/endpoint -c 250

Disable redirects

Option: --disable-redirects

This switch will prevent Arjun to follow redirects on the target URL. It is recommended to use it only when you know what you are doing.

arjun -u https://api.example.com/redirects_to_api2 --disable-redirects

Collect parameter names from passive source

Option: --passive

You can collect parameter names for a domain (not subdomain) from CommonCrawl, Open Threat Exchange and WaybackMachine and check if they exist on your targets.

arjun https://api.example.com/endpoint --passive example.com

If you want to use the domain from the target URL, use --passive -. It only works for a single target.

Use custom HTTP Headers

Option: --headers

You can simply add custom headers from command line separated by \n as follows:

arjun -u https://api.example.com/endpoint --headers "Accept-Language: en-US\nCookie: null"

Using the --headers option without any argument will open your text editor (default is 'nano') and you can simply paste your HTTP headers there and press Ctrl + S to save.

headers demo

Note: Arjun uses nano as the default editor for the prompt but you can change it by tweaking /core/prompt.py.