Param Miner: The Burp Suite Extension That Finds Parameters Nobody Told You Existed

Param Miner: The Burp Suite Extension That Finds Parameters Nobody Told You Existed | by Ajay Yadav - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Param Miner: The Burp Suite Extension That Finds Parameters Nobody Told You Existed Here is something that took me a while to understand. Ajay Yadav Follow ~8 min read · April 1, 2026 (Updated: April 1, 2026) · Free: No When you look at a web request in Burp Suite, you see the parameters the developer decided to show you. The ones in the URL, the ones in the form fields, the ones in the body. But there is another category of parameters that most people never find. Parameters the backend quietly processes but never advertises. Hidden headers the server responds to. Debug flags that were never removed after development. Internal routing keys that change how the application behaves. These are the parameters that lead to cache poisoning, XSS, open redirects, and privilege escalation. And you will never find them by looking at the visible request alone. Param Miner finds them for you. Automatically. In the background. While you do other things. What Is Param Miner? Param Miner is a free Burp Suite extension built by PortSwigger, the same team that makes Burp Suite itself. It identifies hidden, unlinked parameters that the application supports but never exposes in its normal interface. It works by sending requests containing different parameter names from a large built-in wordlist, then comparing the responses. If a response changes when a particular parameter is included, that parameter is doing something on the backend. Param Miner flags it. The technique it uses internally is smart. It combines advanced response diffing logic with a binary search approach that can test up to 65,000 parameter names per request without sending 65,000 individual requests. It batches them intelligently and narrows down which ones cause a response change. It tests three categories: URL parameters: Hidden GET or POST parameters the backend processes silently. HTTP headers: Headers like X-Forwarded-Host, X-Original-URL, or X-Debug that the server responds to but the application never mentions. Cookies: Hidden cookie values that change application behavior. The most powerful use case is finding unkeyed inputs for web cache poisoning, which we will cover in the real-world scenario section. How to Install Param Miner Installation is straightforward: Open Burp Suite Community or Professional Edition. Click the Extensions tab at the top. Click BApp Store . Search for Param Miner . Click Install . Once installed, Param Miner does not add a new tab to your toolbar like Autorize does. Instead it integrates directly into Burp's right-click context menu and outputs its findings under: Extensions > Installed > Param Miner > Output In Burp Suite Professional, findings also appear automatically in the Dashboard as scanner issues. In Community Edition, you read them from the Output tab. One requirement: Param Miner needs Burp Suite version 2021.9 or later. If you are running an older version, update Burp first. How to Use Param Miner Step by Step This is where most tutorials skip important details. Let me walk through the exact process. Step 1: Set your target scope Go to the Target tab, right-click your target domain, and add it to scope. Param Miner works best when it knows exactly what traffic to focus on. Step 2: Browse the application and capture traffic Use Burp's built-in browser to navigate through the application normally. Click through every feature, every page, every form. Param Miner can also run in auto-mine mode, which automatically tests every in-scope request as you browse. To enable this, go to Extensions, Installed, Param Miner, and check Auto-mine . Step 3: Right-click a request and run Param Miner In Burp's HTTP history, right-click any request you want to investigate. You will see three options in the context menu: Guess headers — tests hidden HTTP headers Guess cookies — tests hidden cookie parameters Guess params — tests hidden URL and body parameters Start with Guess headers on your main target pages. This is where cache poisoning vulnerabilities usually hide. Step 4: Add a cache buster This is critical and most beginners skip it. When testing for hidden parameters on a live application, your requests can accidentally poison the cache for real users. Before running Param Miner, add a unique parameter to your requests as a cache buster, something like: GET /home?cb=ajay123 This ensures your test requests get a unique cache key and only affect your own session. Never run Param Miner on a live site without a cache buster. Step 5: Check the Output tab Go to Extensions, Installed, Param Miner, Output. As Param Miner runs in the background, discovered parameters appear here. Look for entries like: Found issue: Reflected input: X-Forwarded-Host header on https://target.com/ Found issue: Secret input: debug=true on https://target.com/api/users Each finding tells you the parameter name, the type, and the endpoint where it was found. Real-World Attack Scenario: Cache Poisoning with X-Forwarded-Host Here is a scenario that shows exactly why Param Miner is so valuable. You are testing an e-commerce website. You run Param Miner's Guess headers on the homepage. After a few minutes, the Output tab shows: Found issue: Unkeyed header: X-Forwarded-Host on https://shop.target.com/ You open Burp Repeater and manually add the header to the homepage request: GET / HTTP/1.1 Host: shop.target.com X-Forwarded-Host: attacker.com You send the request. In the response body you see: The application is using the X-Forwarded-Host header to generate script URLs. And this response is being cached. That means the next real user who visits the homepage will receive your poisoned cached response, with a script loading from a domain you control. You can put any JavaScript payload in that script file. Session cookie theft, credential harvesting, anything. That is a web cache poisoning vulnerability that affects every visitor to the homepage until the cache expires. Param Miner found the unkeyed header in minutes. A manual review would have taken hours, or missed it entirely. Custom Extension: Auto-Export Param Miner Findings to a Report File This Python extension listens for Param Miner's output and automatically saves every discovered parameter to a structured text file. Useful when running Param Miner across a large application with many endpoints. from burp import IBurpExtender, IScannerListener, IScanIssue import datetime class BurpExtender(IBurpExtender, IScannerListener): def registerExtenderCallbacks(self, callbacks): self._callbacks = callbacks self._helpers = callbacks.getHelpers() # Name shown in the Extensions tab callbacks.setExtensionName("Param Miner Report Logger") # Register to receive scanner issues, including those from Param Miner callbacks.registerScannerListener(self) # Open report file in append mode self._report_file = open("param_miner_findings.txt", "a") print("[*] Param Miner Report Logger is running.") def newScanIssue(self, issue): # Only log issues related to Param Miner findings issue_name = issue.getIssueName() if "input" in issue_name.lower() or "param" in issue_name.lower(): # Extract URL and issue details url = issue.getUrl() severity = issue.getSeverity() detail = issue.getIssueDetail() timestamp = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S") # Build a readable log entry entry = ( "\n[{}]\n" "Issue: {}\n" "URL: {}\n" "Severity: {}\n" "Detail: {}\n" "{}\n" ).format(timestamp, issue_name, url, severity, detail, "-" * 60) # Write to file immediately self._report_file.write(entry) self._report_file.flush() print("[+] Logged: {} at {}".format(issue_name, url)) How to load this in Burp: Go to Extensions and click Add. Set Extension Type to Python. Select this file and click Next. Run Param Miner as normal on your targets. Every parameter Param Miner discovers gets saved to param_miner_findings.txt in your working directory with the URL, severity, and detail. After your session, that file is a structured findings list ready to go into your report. Note: This extension hooks into Burp's scanner listener, which works in both Community and Professional editions when Param Miner reports findings through the scanner API. Where to Practice Legally Never run Param Miner on any application without written permission. Testing for hidden parameters on a live site you do not own is unauthorized access under the IT Act 2000 in India and similar laws in other countries. Here is where you can practice legally: PortSwigger Web Security Academy at portswigger.net/web-security/web-cache-poisoning. This is the best place to start with Param Miner. Free labs covering web cache poisoning from basic to advanced, all designed to be solved using Param Miner in Burp Suite. Work through every lab in the cache poisoning section. Gin and Juice Shop at ginandjuice.shop is PortSwigger's own deliberately vulnerable demo site. It is specifically designed for Param Miner practice and is mentioned in Burp Suite's official documentation. You can run Param Miner freely against it. DVWA (Damn Vulnerable Web Application) runs locally on your machine. Good for practicing hidden parameter discovery in a controlled environment. HackTheBox has retired machines where finding hidden parameters is part of the intended path. Once you are comfortable with the basics, these machines give you a more realistic challenge. Start with PortSwigger's cache poisoning labs. There are over 12 of them, ranging from basic unkeyed headers to complex chained attacks. Param Miner is the intended tool for most of them. Final Thoughts Most security tools find the vulnerabilities that are easy to see. Param Miner finds the ones that are hiding. A parameter the developer forgot to remove. A header the CDN passes through silently. A debug flag that was never disabled in production. These are the kinds of findings that separate a thorough pentest from a surface-level one. The fact that it runs in the background while you do other work makes it even more valuable. Right-click a request, hit Guess headers, and let it run while you continue testing manually. By the time you circle back to the Output tab, it may have already found something interesting. Install it, run it on the PortSwigger cache poisoning labs, and see what it uncovers. Next in this series: Turbo Intruder , the extension that replaces Burp's slow Community Edition Intruder with a script-based engine capable of sending thousands of requests per second, and how to use it for race condition attacks. #cybersecurity #ethical-hacking #web-security #bug-bounty #penetration-testing Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).