SpaceMonkey
A Web application security auditing tool
By 10function (10function [AT] gmail [DOT] com)
Description
SpaceMonkey is a Web application auditing tool/Security auditing tool.
It's purpose is to put in lights applicative flaws that could be used by malicious people in order to compromise the server hosting the Web application.
Using fault injection (fuzzing) technics it will try to discover automatically the following flaws :
SpaceMonkey can also be used as a crawler in order to extract site structure or information like emails adresses, images, cookies sent, client-side scripts (javascript,vbscript) or ActiveX/Applets objects from the browsed Web pages.
Dependencies
SpaceMonkey is written in C/C++ and rely on tidy libraryfor HTML parsing.
on Mozilla SpiderMonkey JavaScript library for Javascript handling.
Download
SpaceMonkey sources download
Download lastest sources [version 1.0] (20100123)
Documentation
Documentation
CVS Repository
Browse CVS repository
Disclaimer
SpaceMonkey should not be used against machines you do not own or administer, or have prior permission to run attack tools against. 10function takes no responsibility for any problems related to running SpaceMonkey on or against local or remote machines.
How it works
SpaceMonkey acts as first as a simple Web browser : it goes and get the web pages associated with the URL gived in command line parameters.
This step is called the "Discovery" , the exploration of the web pages is recursive , that means that it fetches a web page, extract all the links found in it and then apply the same process for the new discovered links.
Of course on a huge Website, this step could take a tremendous amount of time due to the numerous web pages to get and explore.
So you can limit the "recursive deep" parameter with the -P command line option.
Using this , the discovery will take a shorter time but will also be more incomplete ...
Please also note, that the exploration only floows links inside the URL gived in command line. Links outside this URL are considered external and will not be fetched or analyzed.
Once finished, the "Discovery" step gives a rather good knowledge of how the application was designed and the hierarchy (directories) used.
The second step which is optional, is called "Discovery Enhancement", its purpose is to add valuable information to what has been discovered by the classic previous step.
There you can for example check if that certain common directories (see file data/directories.txt as an example) could be found in the target structure.
Another option is to seek "Suffixed" files : By adding common used files suffixes (like .old or .bak) to the already discovered documents URLs.
At last you can play the "Attacks Technics" on dicovered scripts (PHP,ASP,JSP,CGI...) by using the -K command line option
The whole idea is to provide the scripts found during the dicovery steps with "fuzzy" input in order to generate a fault.
"Fault Detection" permits to detect the fault and classify it.
Right now , a fault is detected regarding the following parameters :
- Returned HTTP Status Code
Classicaly, status codes above 500 are the sign of a server side error.
- Document title
Some document titles reveals an abnormal behaviour.
- HTTP Document body
Flaws like file injection, XSS or mysql injection are most of the time (for not saying always) related to an integrity modification of the response body.
Obsiously some false "positive" or false "negative " could occurs due to the limitation of the software.
Feedback
By now, WebMonkey is pure alpha software and was written for demonstartive and fun purposes. All your comments, remarks, advices are welcome.
If you want to collaborate and are interressed in IT security or C/C++, you are welcome to join the crew !
Contact
Feel free to contact me :
10function [4t) gmail {d0t] com
Credits
Chuck Palahniuk for having the sick mind of writting a book such "Fight Club".
Related projects
Wapiti
Nikto
Kayra
Autodafe
Copyright (C) 2006-2010 10function