redteampentesting / monsoon Goto Github PK

Hi :D,
is there a way to use multiple keywords?, something like this:

monsoon -f usernames.txt:FUZZ1 -f passwords.txt:FUZZ2 -XPOST -u http://example.com -d 'username=FUZZ1&password=FUZZ2'

-it would also be interesting to have a proxy option

best regards :D

Hi guys :D, is there a possibility to implement in the http client can supplant the TLS fingerprint, something like this: https://github.com/Danny-Dasilva/CycleTLS.

Regards 😃

monsoon fuzz --replace FUZZ1:range:97-98:%c --replace FUZZ2:range:35-38:%c 'http://example.local/user?id=FUZZ1FUZZ2'

 status   header     body   value    extract

    404      173       17   [a, %]  
    404      173       17   [a, $]  
    404      173       17   [a, &]  
    404      173       17   [a, #]  
    404      173       17   [b, &]  
    404      173       17   [b, #]  
    404      173       17   [b, %]  
    404      173       17   [b, $] 

good work, your tool is excellent, I just wanted to add here this functionality that I have not seen documented in the tool, interesting results appear when replacing %c by %q or %T or %U xd. Regards

it would be nice if you could add options to encode the payloads, something like this:

--replace FUZZ:range:1-100:base64-md5-url_encode which transforms the numbers from 1 to 100 in base64, md5 and then url_encode 🤔 😃 ...

Monsoon doesn't show matched responses if multiple status codes are specified.

For example a similar command to the one below shows that multiple responses have been seen with status code 302 (in the status code display on the bottom), however no results are shown in the results table.
$ monsoon fuzz https://example.com/FUZZ -f wordlist.txt --show-status 301,302

If I specify only a single status code or a range as follows, then the results table is populated.
$ monsoon fuzz https://example.com/FUZZ -f wordlist.txt --show-status 302
$ monsoon fuzz https://example.com/FUZZ -f wordlist.txt --show-status 301-302

Hello,

In order to enhance the fuzzer's effectiveness, it is crucial to incorporate a file size filtering option. Neglecting this feature can render the fuzzer's response futile at times, as illustrated in the attached image.

Cheers