A Web application security auditing tool
By 10function (10function [AT] gmail [DOT] com)

monkey pic


SpaceMonkey is a Web application auditing tool/Security auditing tool.
It's purpose is to put in lights applicative flaws that could be used by malicious people in order to compromise the server hosting the Web application.

Using fault injection (fuzzing) technics it will try to discover automatically the following flaws :
SpaceMonkey can also be used as a crawler in order to extract site structure or information like emails adresses, images, cookies sent, client-side scripts (javascript,vbscript) or ActiveX/Applets objects from the browsed Web pages.


SpaceMonkey is written in C/C++ and rely on tidy libraryfor HTML parsing.
on Mozilla SpiderMonkey JavaScript library for Javascript handling.


SpaceMonkey sources download
Download lastest sources [version 1.0] (20100123)



CVS Repository

Browse CVS repository


SpaceMonkey should not be used against machines you do not own or administer, or have prior permission to run attack tools against. 10function takes no responsibility for any problems related to running SpaceMonkey on or against local or remote machines.

How it works

SpaceMonkey acts as first as a simple Web browser : it goes and get the web pages associated with the URL gived in command line parameters.
This step is called the "Discovery" , the exploration of the web pages is recursive , that means that it fetches a web page, extract all the links found in it and then apply the same process for the new discovered links.
Of course on a huge Website, this step could take a tremendous amount of time due to the numerous web pages to get and explore.
So you can limit the "recursive deep" parameter with the -P command line option.
Using this , the discovery will take a shorter time but will also be more incomplete ...
Please also note, that the exploration only floows links inside the URL gived in command line. Links outside this URL are considered external and will not be fetched or analyzed.

Once finished, the "Discovery" step gives a rather good knowledge of how the application was designed and the hierarchy (directories) used.
The second step which is optional, is called "Discovery Enhancement", its purpose is to add valuable information to what has been discovered by the classic previous step.
There you can for example check if that certain common directories (see file data/directories.txt as an example) could be found in the target structure.
Another option is to seek "Suffixed" files : By adding common used files suffixes (like .old or .bak) to the already discovered documents URLs.

At last you can play the "Attacks Technics" on dicovered scripts (PHP,ASP,JSP,CGI...) by using the -K command line option
The whole idea is to provide the scripts found during the dicovery steps with "fuzzy" input in order to generate a fault.
"Fault Detection" permits to detect the fault and classify it.
Right now , a fault is detected regarding the following parameters :
Obsiously some false "positive" or false "negative " could occurs due to the limitation of the software.


By now, WebMonkey is pure alpha software and was written for demonstartive and fun purposes. All your comments, remarks, advices are welcome.
If you want to collaborate and are interressed in IT security or C/C++, you are welcome to join the crew !


Feel free to contact me :
10function [4t) gmail {d0t] com


Chuck Palahniuk for having the sick mind of writting a book such "Fight Club".

Related projects

Autodafe Logo Open Source Vulnerability Database
Copyright (C) 2006-2010 10function