name: monsoon
version: 0.7.0
homepage: https://github.com/RedTeamPentesting/monsoon
download: https://github.com/RedTeamPentesting/monsoon/releases/tag/v0.7.0
further information: https://blog.redteam-pentesting.de/2020/introducing-monsoon/
author: RedTeam Pentesting GmbH
licence: MIT
description: A flexible HTTP enumerator to identify and probe for files, webpages, directory traversals or used for exploitation of insecure direct object references as well as probing for different webserver behaviours.
dependencies: to compile the code, at least go 1.17. Otherweise it is a static stand-alone binary.
similar tools: gobuster, ffuf, wfuzz
activity: publicly active since 2020, development internally since 2017
how to install: go build for compilation, otherwise just execute the binary from the releases
how to use:

searching for present directories on a webserver

monsoon fuzz --file raft-small-directories-lowercase.txt https://example.com/FUZZ --hide-status 404

searching for information via an insecure direct object reference

monsoon fuzz --range 1-100 --extract '(?is)<title>(.*)</title>' https://example.com/user/FUZZ

Only show redirect responses with status codes between 300 and 399

monsoon fuzz --file filenames.txt --show-status 300-399 https://example.com/FUZZ

Further example use-cases can be seen on the Github page, the blogpost or even via monsoon itself, calling 'monsoon help fuzz'.

packaged: no