[WebSurgery] Web application security testing suite


WebSurgery is a suite of tools for security testing of web applications. It was designed for security auditors to help them with web application planning and exploitation. Suite currently contains a spectrum of efficient, fast and stable web tools (Crawler, Bruteforcer, Fuzzer, Proxy, Editor) and some extra functionality tools (Scripting Filters, List Generator, External Proxy).


Main Tools
Crawler
  • High Performance Multi-Threading and Completely Parameterized Crawler
  • Extracts Links from HTML / CSS / JavaScript / AJAX / XHR
  • Hidden Structure Identification with Embedded Bruteforcer
  • Parameterized Timing Settings (Timeout, Threading, Max Data Size, Retries)
  • Parameterized Limit Rules (Case Sensitive, Process Above / Below, Dir Depth, Max Same File / Script Parameters / Form Action File)
  • Parameterized Extra Rules (Fetch Indexes / Sitemaps, Submit Forms, Custom Headers)
  • Supports Advanced Filters with Scripting & Regular Expressions (Process, Exclude, Page Not Found, Search Filters)
Bruteforcer
  • High Performance Multi-Threading Bruteforcer for Hidden Structure (Files / Directories)
  • Parameterized Timing Settings (Timeout, Threading, Max Data Size, Retries)
  • Parameterized Rules (Base Dir, Bruteforce Dirs / Files, Recursive, File Extension, Custom Headers)
  • Parameterized Advanced Rules (Send GET / HEAD, Follow Redirects, Process Cookies)
  • Supports Advanced Filters with Scripting & Regular Expressions (Page Not Found, Search Filters)
  • Supports List Generator with Advanced Rules
Fuzzer
  • High Performance Multi-Threading Fuzzer Generates Requests based on Initial Request Template
  • Exploitation for (Blind) SQL Injections, Cross Site Scripting (XSS), Denial of Service (DOS), Bruteforce for Username / Password Authentication Login Forms
  • Identification of Improper Input Handling and Firewall / Filtering Rules
  • Parameterized Timing Settings (Timeout, Threading, Max Data Size, Retries)
  • Parameterized Advanced Rules (Follow Redirects, Process Cookies)
  • Supports Advanced Filters with Scripting & Regular Expressions (Stop / Reset Level, Search Filters)
  • Supports List Generator with Advanced Rules
  • Supports Multiple Lists with Different Levels
Proxy
  • Proxy Server to Analyze, Intercept and Manipulate Traffic
  • Parameterized Listening Interface IP Address & Port Number
  • Supports Advanced Filters with Scripting & Regular Expressions (Process, Intercept, Match-Replace, Search Filters)
Editor
  • Advanced ASCII / HEX Editor to Manipulate Individual Requests
  • Parameterized Timing Settings (Timeout, Max Data Size, Retries)
  • Automatically Fix Request (Content-Length, New Lines at End)
Extra Tools
Scripting Filters
  • Advanced Scripting Filters to Filter Specific Requests / Responses
  • Main Variables (url, proto, hostport, host, port, pathquery, path, query, file, ext)
  • Request Variables (size, hsize, dsize, data, hdata, ddata, method, hasparams, isform)
  • Response Variables (size, hsize, dsize, data, hdata, ddata, status, hasform)
  • Operators =, !=, ~, !~, >=, <=, >, <
  • Conjunctions &, |
  • Supports Reverse Filters and Parenthesis
List Generator
  • List Generator for Different List Types (File, Charset, Numbers, Dates, IP Addresses, Custom)
  • Parameterized Rules (Prefix, Suffix, Case, Reverse, Fixed-Length, Match-Replace)
  • Parameterized Crypto / Hash Rules (URL, URL All, HTML, BASE-64, ASCII, HEX, MD5, SHA-512)
External Proxy
  • External Proxy Redirects Traffic to Another Proxy
  • Supports Non-Authenticated Proxies (HTTP, SOCKS4, SOCKS5)
  • Supports Authenticated Proxies (HTTP Basic, SOCKS5 Username/Password)
  • Supports DNS Lookups at Proxy Side