Description
Param Miner is a Burp Suite extension that identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities, hidden debug parameters, and undocumented API fields. Created by PortSwigger's James Kettle, the researcher behind many HTTP desync and cache poisoning techniques.
Installation
TEXT
# Burp Suite BApp Store (recommended)
Burp Suite → Extender → BApp Store → Search "Param Miner" → Install
# Manual install
1. Download from https://github.com/PortSwigger/param-miner
2. Burp → Extender → Add → Select JAR fileBasic Usage
TEXT
# From Burp Suite:
1. Browse target through Burp proxy
2. Right-click any request → Extensions → Param Miner → Guess params
3. Check "Guess GET/POST params" or "Guess headers"
4. Review results in Extender → Output tab
# The extension automatically:
- Brute forces parameter names from built-in wordlists
- Tests for reflected parameters
- Identifies cacheable parametersAdvanced Usage
TEXT
# Cache poisoning detection
1. Right-click request → Param Miner → Guess headers
2. Look for unkeyed headers that affect response
3. Common poisoning headers: X-Forwarded-Host, X-Original-URL,
X-Forwarded-Scheme, X-Rewrite-URL
# Custom wordlist
1. Param Miner → Options → Custom wordlist path
2. Add domain-specific parameter names
# Targeted header mining
1. Right-click → Param Miner → Guess headers
2. Monitor for responses that change based on injected headers
3. Focus on: X-Forwarded-For, X-Original-URL, X-Custom-IP-AuthorizationCommon Workflows
TEXT
# Web cache poisoning workflow
1. Identify CDN/cache (check X-Cache, Age, Via headers)
2. Run Param Miner header guessing
3. Find unkeyed input that reflects in response
4. Chain with XSS payload for stored cache poisoning
5. Example: X-Forwarded-Host: evil.com → reflected in script src
# Hidden admin parameter discovery
1. Run Param Miner on login/admin endpoints
2. Look for: debug, admin, test, internal, verbose
3. Check if debug=true reveals stack traces or bypasses auth