A penetration tester is performing active reconnaissance on a web application and needs to discover parameters that the application accepts. Which TWO tools are most commonly used for parameter discovery? (Select TWO.)
ffuf is a fast web fuzzer that can be used for parameter brute-forcing.
Why this answer
ffuf (Fuzz Faster U Fool) is a high-performance web fuzzer commonly used for parameter discovery by brute-forcing HTTP request parameters (GET/POST) against a target endpoint. Arjun is a dedicated parameter discovery tool that uses a wordlist of common parameter names and analyzes response differences (e.g., status codes, content length) to identify valid parameters. Both tools are specifically designed for active reconnaissance to enumerate hidden or undocumented parameters in web applications.
Exam trap
The trap here is that candidates often confuse general-purpose web scanners (like Nikto) or CMS-specific tools (like WPScan) with dedicated parameter discovery tools, leading them to select options that perform different reconnaissance tasks.