Fast HTTP enumerator

Overview

Status badge for tests

monsoon

A fast HTTP enumerator that allows you to execute a large number of HTTP requests, filter the responses and display them in real-time.

Example

Run an HTTP GET request for each entry in filenames.txt, hide all responses with the status code 403 or 404:

basic demo

Common usage of monsoon is also covered in our blog article "Introducing monsoon - a lean and versatile HTTP enumerator".

Installation

Building from source

These instructions will get you a compiled version of the code in the master branch.

You'll need a recent version of the Go compiler, at least version 1.14. For Debian, install the package golang-go.

Clone the repository, then from within the checkout run the following command:

$ go build

Afterwards you'll find a monsoon binary in the current directory. It can be for other operating systems as follows:

$ GOOS=windows GOARCH=amd64 go build -o monsoon.exe

Unofficial Packages

For Arch Linux based distributions monsoon is available as an unofficial package on the AUR. Using your AUR helper of choice such as yay:

yay -S monsoon

Getting Help

The program has several subcommands, the most important one is fuzz which contains the main functionality. You can display a list of commands as follows:

$ ./monsoon -h
Usage:
  monsoon command [options]

Available Commands:
  fuzz        Execute and filter HTTP requests
  help        Help about any command
  show        Construct and display an HTTP request
  test        Send an HTTP request to a server and show the result
  version     Display version information

Options:
  -h, --help   help for monsoon

Use "monsoon [command] --help" for more information about a command.

For each command, calling it with --help (e.g. monsoon fuzz --help) will display a description of all the options, and calling monsoon help fuzz also shows an extensive list of examples.

Wordlists

The SecLists Project collects wordlists that can be used with monsoon.

Issues
  • The show-status / hide-status flags don't work with multiple status codes

    The show-status / hide-status flags don't work with multiple status codes

    Monsoon doesn't show matched responses if multiple status codes are specified.

    For example a similar command to the one below shows that multiple responses have been seen with status code 302 (in the status code display on the bottom), however no results are shown in the results table. $ monsoon fuzz https://example.com/FUZZ -f wordlist.txt --show-status 301,302

    If I specify only a single status code or a range as follows, then the results table is populated. $ monsoon fuzz https://example.com/FUZZ -f wordlist.txt --show-status 302 $ monsoon fuzz https://example.com/FUZZ -f wordlist.txt --show-status 301-302

    opened by mrschyte 2
  • fix: Read response body more efficiently

    fix: Read response body more efficiently

    This PR removes the (for most request unnecessary) allocation of 5MB for the response body per request.

    I tested this with a 45k-lines wordlist against a local HTTPS test server in Go that returns a random status code and small response bodies:

    |Branch | Requests/s | Time| |-|-|-| |Current Master|1811|19s| |This PR|11947|3s|

    opened by erikgeiser 1
  • Increase Connection Pool Limit to Avoid Resource Exhaustion

    Increase Connection Pool Limit to Avoid Resource Exhaustion

    The current HTTP transport limits the idle connections for pooling to 2 (MaxIdleConns is unlimited but MaxIdleConnsPerHost is DefaultMaxIdleConnsPerHost=2) . In the default configuration, monsoon will already do 5 concurrent requests which causes the limit to be exceeded and connections to be closed and reopened unnecessarily.

    As this closing and reopening keeps happening over the lifetime of the scan, the operating system will keep the ephemeral ports of the countless closed connections in a TIME_WAIT state for some time. This can then easily cause the system to accumulate ports in this state until it exceeds its limits (on macOS this causes the error can't assign requested address).

    This PR sets MaxIdleConnsPerHost and DefaultMaxIdleConnsPerHost to 100. The same solution was already applied to gobuster (see https://github.com/OJ/gobuster/issues/127 and https://github.com/OJ/gobuster/pull/140). The problem is also described in detail in this blog post, which suggests the same solution.

    Another solution would be to take the number of "threads" as an argument and set it as the limit. This is what https://github.com/rakyll/hey does.

    opened by erikgeiser 0
  • Add Unconditional socks5 Proxy Support

    Add Unconditional socks5 Proxy Support

    This PR adds support for an unconditional socks5 proxy. monsoon already supported HTTP and socks5 proxies via http.ProxyFromEnvironment, but connections to loopback devices are excluded. Through the environment variable FORCE_SOCKS5_PROXY a socks5 server can be configured that also forwards requests to loopback devices. Username and password is supported and $NO_PROXY is also respected.

    The help texts for the fuzz and test commands were modified to explain the possible proxy configuration options.

    I also changed the Dial field of the http.Transport to DialContext because the former was deprecated.

    opened by erikgeiser 0
Releases(v0.7.0)
  • v0.7.0(Jun 28, 2022)

    Changes:

    • Improved and prettified error handling for input data and request-related errors
    • New option to configure the number of redirects to follow with --follow-redirect n
    • New options to force connecting exclusively via IPv4 (--ipv4-only) or IPv6 (--ipv6-only)
    • Bug fixes for the filtering logic of the --show-status option, improved column indentation and better help texts
    • Updated dependencies
    Source code(tar.gz)
    Source code(zip)
  • v0.6.0(Oct 28, 2020)

Owner
RedTeam Pentesting GmbH
RedTeam Pentesting GmbH
Fast cross-platform HTTP benchmarking tool written in Go

bombardier bombardier is a HTTP(S) benchmarking tool. It is written in Go programming language and uses excellent fasthttp instead of Go's default htt

Максим Федосеев 3.7k Aug 1, 2022
HTTP mock for Golang: record and replay HTTP/HTTPS interactions for offline testing

govcr A Word Of Warning I'm in the process of partly rewriting govcr to offer better support for cassette mutations. This is necessary because when I

Seb C 106 Jul 31, 2022
Create your own blazing fast mock server with just a JSON file!

Gmocker Run a blazing fast mock server in just seconds! ?? All you need is to make a json file that contains path and response mapping. See an example

Ananto 51 Jul 25, 2022
Stupidly fast, completely serverless and infinitely scalable stress tester.

dontstress Stupidly fast, completely serverless and infinitely scalable stress tester. Don't stress over your failing competitive programming task sol

Artem Mikheev 6 Nov 15, 2021
Mockserver - Super slim & blazing fast mock server to replace the Java/NPM counterpart mockserver

Gmocker Run a blazing fast mock server in just seconds! ?? All you need is to ma

null 0 Jan 30, 2022
Expressive end-to-end HTTP API testing made easy in Go

baloo Expressive and versatile end-to-end HTTP API testing made easy in Go (golang), built on top of gentleman HTTP client toolkit. Take a look to the

Tom 727 Jul 26, 2022
Golang HTTP client testing framework

flute Golang HTTP client testing framework Presentation https://speakerdeck.com/szksh/flute-golang-http-client-testing-framework Overview flute is the

Shunsuke Suzuki 17 Apr 19, 2022
http integration test framework

go-hit hit is an http integration test framework written in golang. It is designed to be flexible as possible, but to keep a simple to use interface f

Tobias Salzmann 119 Jul 29, 2022
Extremely flexible golang deep comparison, extends the go testing package and tests HTTP APIs

go-testdeep Extremely flexible golang deep comparison, extends the go testing package. Latest news Synopsis Description Installation Functions Availab

Maxime Soulé 312 Aug 4, 2022
End-to-end HTTP and REST API testing for Go.

httpexpect Concise, declarative, and easy to use end-to-end HTTP and REST API testing for Go (golang). Basically, httpexpect is a set of chainable bui

Victor Gaydov 1.9k Aug 8, 2022
HTTP traffic mocking and testing made easy in Go ༼ʘ̚ل͜ʘ̚༽

gock Versatile HTTP mocking made easy in Go that works with any net/http based stdlib implementation. Heavily inspired by nock. There is also its Pyth

Tom 1.7k Jul 27, 2022
HTTP mocking for Golang

httpmock Easy mocking of http responses from external resources. Install Currently supports Go 1.7 - 1.15. v1 branch has to be used instead of master.

Jared Morse 1.4k Aug 4, 2022
Mock object for Go http.ResponseWriter

mockhttp -- Go package for unit testing HTTP serving Unit testing HTTP services written in Go means you need to call their ServeHTTP receiver. For thi

Tv 21 Mar 22, 2022
HTTP mocking to test API services for chaos scenarios

GAOS HTTP mocking to test API services for chaos scenarios Gaos, can create and provide custom mock restful services via using your fully-customizable

Trendyol Open Source 209 May 24, 2022
HTTP load testing tool and library. It's over 9000!

Vegeta Vegeta is a versatile HTTP load testing tool built out of a need to drill HTTP services with a constant request rate. It can be used both as a

Tomás Senart 19.9k Jul 29, 2022
HTTP load generator, ApacheBench (ab) replacement, formerly known as rakyll/boom

hey is a tiny program that sends some load to a web application. hey was originally called boom and was influenced from Tarek Ziade's tool at tarekzia

Jaana Dogan 14k Aug 5, 2022
go-wrk - a HTTP benchmarking tool based in spirit on the excellent wrk tool (https://github.com/wg/wrk)

go-wrk - an HTTP benchmarking tool go-wrk is a modern HTTP benchmarking tool capable of generating significant load when run on a single multi-core CP

Tal Sliwowicz 571 Jul 27, 2022
Lightweight HTTP mocking in Go (aka golang)

httpmock This library builds on Go's built-in httptest library, adding a more mockable interface that can be used easily with other mocking tools like

null 77 Jul 11, 2022
a benchmarking&stressing tool that can send raw HTTP requests

reqstress reqstress is a benchmarking&stressing tool that can send raw HTTP requests. It's written in Go and uses fasthttp library instead of Go's def

Utku Sen 154 Jul 7, 2022