Hidden Parameters ¶

At some point, most if not all the website public parameters will be properly tested and hopefully secured. There may still be more parameters that were forgotten, for instance, if they are not used by the "front-end" clients anymore.

You can use Fuzzing to find them, for instance for query parameters, using the URL https://example.com?FUZZ=value.

Common wordlists are listed at wordlists#parameters.

Most likely exclusive to a CTF, but some endpoints may use POST while parsing GET parameters on purpose.