JoomSpy is a lightweight, web-based reconnaissance tool built for Passive Attack Surface Mapping on Joomla CMS targets. It helps security researchers identify exposed endpoints, backup files, leaked configurations, and installed third-party extensions by analyzing HTTP response codes.
This allows faster visibility into a Joomla asset’s external exposure before moving into deeper security analysis.
-
Asynchronous Processing
Built using the nativefetchAPI withasync/awaitfor smooth, fast, and non-blocking scan execution. -
Targeted Audit Database
Includes Joomla-specific audit vectors covering:- Core API paths
- Critical data leak locations
- Backup files (
.env,.bak,.old) - Popular components (
com_jce,com_k2,com_media, etc.)
-
Dynamic Response Categorization
Automatically classifies:200→ Accessible403→ Restricted301/302→ Redirected404→ Not Found
-
Live Interactive Filtering
Real-time search filtering for quick result analysis without page reload. -
Direct Verification Links
Clickable status codes for instant manual validation in a new browser tab.
JoomSpy/
├── index.php # Main frontend interface
└── scan.php # Backend proxy scanner (PHP cURL)| File | Description |
|---|---|
index.php |
Frontend UI built with HTML, CSS, and vanilla JavaScript |
scan.php |
Handles backend HTTP requests using PHP cURL |
Make sure your environment supports:
- PHP 8.0+
- cURL Extension enabled
Verify cURL support:
php -m | grep curlClone this repository:
git clone https://github.com/username/JoomSpy.git
cd JoomSpyRun using PHP built-in server:
php -S localhost:8000Open in browser:
http://localhost:8000
- Enter your target Joomla URL
Example:
https://target-joomla.com
-
Click START
-
JoomSpy will:
- Probe predefined Joomla vectors
- Analyze HTTP headers
- Categorize responses
-
Use Filter rows... to search results instantly.
Example filters:
200
Data Leak
com_jce
403
- Click STOP anytime to halt the scan.
/administrator//api/index.php/templates/
.envconfiguration.php.bakconfiguration.php.old
com_jcecom_k2com_mediacom_contentcom_users
- This tool performs passive enumeration only
- No exploitation functionality included
- Results depend on target server behavior
- Some WAFs may alter or block responses
For educational and authorized security research purposes only.
Maintained with coffee and curiosity.