ParamSleuth

ParamSleuth is a web app plus CLI that discovers and tests “forgotten” or undocumented parameters that often lead to authorization bypasses, mass assignment, and logic flaws. It passively learns parameters from traffic (HAR files, proxy exports, OpenAPI specs, and server logs), then actively probes endpoints with safe, rate-limited mutations to detect suspicious behavior changes (status code shifts, object count changes, privilege boundary leaks). It focuses on modern pain points: GraphQL variables, REST query/body params, and JSON patch-style updates. Results are packaged as reproducible test cases (curl, Postman, Burp) with clear evidence, not vague “possible issue” alerts. This is not a full scanner replacement; it’s a narrow tool that helps teams catch the class of bugs that slip through SAST/DAST and code review because the parameter surface area is huge and constantly changing.