I LOVE this tool. I’m definitely adding this to my methodology. I used to use something like the wayback machine downloader to download everything related to the targets of the engagement and then create a wordlist after the fact.
I will continue to do so but this is a quick and easy way to find old or undocumented parameters and their values.
Best part is you can exclude certain file types.
The tool is called ParamSpider;
You can check it out HERE
To install it:
cd /opt/OSINT/ sudo git clone https://github.com/devanshbatham/ParamSpider cd ParamSpider pip3 install -r requirements.txt python3 paramspider.py --domain gainsec.com --exclude php,jpg,svg
I highly recommend checking out the Github as they have some other useful examples of how to use the tool.