Multiple FUZZ keywords?

[trapisone]

Hi :D,
is there a way to use multiple keywords?, something like this:

monsoon -f usernames.txt:FUZZ1 -f passwords.txt:FUZZ2 -XPOST -u http://example.com -d 'username=FUZZ1&password=FUZZ2'

-it would also be interesting to have a proxy option

best regards :D

[rtpt-alexanderneumann]

At the moment monsoon does not support fuzzing with multiple lists, but it would be possible to rework the internal processing pipeline (docs here) to do that.

Monsoon already has proxy support, although it's a bit hidden (in the extended help text of e.g. the fuzz command):

$ monsoon help fuzz

[...]
Proxy Configuration
###################

A Proxy for HTTP and HTTPS requests can be configured separately via the environment
variables HTTP_PROXY and HTTPS_PROXY. Both HTTP and socks5 proxies are supported:

    HTTP_PROXY=socks5://user:pass@proxyhost:123 monsoon fuzz [...]

Request to the loopback device are excluded from this proxy configuration. However,
an unconditional socks5 server can be configured as follows:

    FORCE_SOCKS5_PROXY=user:pass@proxyhost:123 monsoon fuzz [...]

[...]

[trapisone]

Thank you for your response,

• the proxy thing works perfect :D.

• regarding the design.md, I can't understand how I could implement this in a command with monsoon, should I use the:
  monsoon fuzz ... --extract-pipe 'monsoon fuzz ...' something like that?.

best regards

[rtpt-alexanderneumann]

At the moment you just cannot do that with monsoon. It'd need internal restructuring of the processing pipeline to support that, so somebody needs to step up (or I find some time) to do that :)

[rtpt-alexanderneumann]

Ah, we can also leave this issue open as a reminder :)

[rtpt-alexanderneumann]

FYI, I've implemented multiple parameters using the new --replace flag, e.g.:

$ monsoon fuzz --replace A:range:1-10 --replace B:range:1-10 http://localhost/A/B

It's not released (yet), but you can find the code in the main branch.