Day 37 – Parameter Finding | Complete Beginner to Advanced Guide


🎯 Day 37: Parameter Finding

Bug hunting me sirf directory find karna hi kaafi nahi hota.
Bahut baar real vulnerability parameters ke andar chhupi hoti hai.

Agar aap parameter samajh gaye → to aap 50% hacking concepts samajh gaye 🔥

🧠 Parameter Kya Hota Hai?

Parameter wo value hoti hai jo server ko data bhejti hai.

Example:

https://example.com/product?id=10

Yahan:

  • id = parameter

  • 10 = value

Agar value change karein:

?id=11
?id=999

To server different data return karega.

Yahi testing ka base hai.

🔎 Parameter Finding Kya Hota Hai?

Parameter Finding ka matlab hai:

✔ URL me hidden parameters discover karna
✔ Forms ke hidden fields identify karna
✔ API endpoints ke parameters find karna
✔ Backend ke unused parameters detect karna

Kai vulnerabilities parameters ke through milti hain:

  • IDOR

  • SQL Injection

  • XSS

  • Access Control issues

🌐 Parameters Kahan Milte Hain?

1️⃣ URL Parameters

?page=2
?user=admin
?search=test

2️⃣ Form Parameters

Login form example:

username
password
remember_me

Kabhi hidden input bhi hota hai:

role=user

Agar change ho jaye → privilege issue ho sakta hai.

3️⃣ API Parameters

Modern apps jaise:

Facebook
Google

API based kaam karte hain.

Example API request:

/api/user?id=45&role=user

Agar role change karne par response badal jaye → serious bug.

🛠 Parameter Finding Methods

✅ 1. Manual Testing

  • URL observe karo

  • Forms inspect karo (Inspect Element)

  • Network tab use karo

  • Value modify karke test karo

✅ 2. Hidden Parameter Guessing

Developers common names use karte hain:

  • id

  • user_id

  • uid

  • role

  • admin

  • debug

  • test

  • redirect

  • next

Kabhi undocumented parameters mil jate hain.

✅ 3. JavaScript Analysis

Website ke JS files me parameters mil sakte hain:

  • API endpoints

  • Internal routes

  • Debug options

Hidden features wahi milte hain.

🎯 Real Example Thinking

Suppose URL hai:

/profile?user_id=102

Agar aap change karte ho:

?user_id=101

Aur dusre user ka data dikhta hai → IDOR vulnerability.

Isliye parameters powerful hote hain.

⚠ Important Concepts

🔹 GET vs POST

GET → URL me visible
POST → Network tab me visible

Dono test karna zaruri hai.

🔹 Static vs Dynamic Parameters

Static → Always same
Dynamic → User ke hisab se change

Dynamic parameters me vulnerability chances zyada hote hain.

🚨 Beginner Mistakes

❌ Sirf visible parameters test karna
❌ Hidden fields ignore karna
❌ Network tab use na karna
❌ JavaScript files ignore karna
❌ Response compare na karna

📋 Parameter Testing Checklist

✔ Value change karo
✔ Special characters try karo
✔ Boolean values try karo (true/false)
✔ Numeric values increment karo
✔ Response difference note karo

⚖ Legal Reminder

Parameter testing sirf:

✔ Authorized bug bounty program me
✔ Apne lab environment me
✔ Written permission ke sath

Unauthorized testing illegal hai.

🧠 Revision Points

  • Parameter = Data jo server ko bheja jata hai

  • Hidden parameters vulnerabilities ka main source hote hain

  • URL, Forms, APIs sab me parameters milte hain

  • Value change testing ka basic method hai

  • Network tab best friend hai bug hunter ka

⬅ Previous Day                       

                               Next Day ➡