Parameter Digger

The Param Digger is a tool that can be used for parameter discovery. It identifies hidden, unlinked, and “obscure” parameters that can be useful for increasing the attack surface, thus easing the process of finding vulnerabilities. It uses a given URL as a seed and performes brute force guessing attacks to identify parameters. It’s primarily based on James Kettle’s research and implementation: Practical Web Cache Poisoning and Web Cache Entanglement.

The Param Digger can be configured and started using the Param Digger dialog.

It provides:

Top Level Menu

A menu item under the top level ‘Tools’ menu.

Status Panel

A basic status panel.

ZAP API Component

An API component that adds an action endpoint.

Also see: