WebSurgery is a suite of tools for security testing of web applications. It was designed for security auditors to help them with web application planning and exploitation. Suite currently contains a spectrum of efficient, fast and stable web tools (Crawler, Bruteforcer, Fuzzer, Proxy, Editor) and some extra functionality tools (Scripting Filters, List Generator, External Proxy).
Main Tools
Crawler
- High Performance Multi-Threading and Completely Parameterized Crawler
- Extracts Links from HTML / CSS / JavaScript / AJAX / XHR
- Hidden Structure Identification with Embedded Bruteforcer
- Parameterized Timing Settings (Timeout, Threading, Max Data Size, Retries)
- Parameterized Limit Rules (Case Sensitive, Process Above / Below, Dir Depth, Max Same File / Script Parameters / Form Action File)
- Parameterized Extra Rules (Fetch Indexes / Sitemaps, Submit Forms, Custom Headers)
- Supports Advanced Filters with Scripting & Regular Expressions (Process, Exclude, Page Not Found, Search Filters)
Bruteforcer
- High Performance Multi-Threading Bruteforcer for Hidden Structure (Files / Directories)
- Parameterized Timing Settings (Timeout, Threading, Max Data Size, Retries)
- Parameterized Rules (Base Dir, Bruteforce Dirs / Files, Recursive, File Extension, Custom Headers)
- Parameterized Advanced Rules (Send GET / HEAD, Follow Redirects, Process Cookies)
- Supports Advanced Filters with Scripting & Regular Expressions (Page Not Found, Search Filters)
- Supports List Generator with Advanced Rules
Fuzzer
- High Performance Multi-Threading Fuzzer Generates Requests based on Initial Request Template
- Exploitation for (Blind) SQL Injections, Cross Site Scripting (XSS), Denial of Service (DOS), Bruteforce for Username / Password Authentication Login Forms
- Identification of Improper Input Handling and Firewall / Filtering Rules
- Parameterized Timing Settings (Timeout, Threading, Max Data Size, Retries)
- Parameterized Advanced Rules (Follow Redirects, Process Cookies)
- Supports Advanced Filters with Scripting & Regular Expressions (Stop / Reset Level, Search Filters)
- Supports List Generator with Advanced Rules
- Supports Multiple Lists with Different Levels
Proxy
- Proxy Server to Analyze, Intercept and Manipulate Traffic
- Parameterized Listening Interface IP Address & Port Number
- Supports Advanced Filters with Scripting & Regular Expressions (Process, Intercept, Match-Replace, Search Filters)
Editor
- Advanced ASCII / HEX Editor to Manipulate Individual Requests
- Parameterized Timing Settings (Timeout, Max Data Size, Retries)
- Automatically Fix Request (Content-Length, New Lines at End)
Extra Tools
Scripting Filters
- Advanced Scripting Filters to Filter Specific Requests / Responses
- Main Variables (url, proto, hostport, host, port, pathquery, path, query, file, ext)
- Request Variables (size, hsize, dsize, data, hdata, ddata, method, hasparams, isform)
- Response Variables (size, hsize, dsize, data, hdata, ddata, status, hasform)
- Operators =, !=, ~, !~, >=, <=, >, <
- Conjunctions &, |
- Supports Reverse Filters and Parenthesis
List Generator
- List Generator for Different List Types (File, Charset, Numbers, Dates, IP Addresses, Custom)
- Parameterized Rules (Prefix, Suffix, Case, Reverse, Fixed-Length, Match-Replace)
- Parameterized Crypto / Hash Rules (URL, URL All, HTML, BASE-64, ASCII, HEX, MD5, SHA-512)
External Proxy
- External Proxy Redirects Traffic to Another Proxy
- Supports Non-Authenticated Proxies (HTTP, SOCKS4, SOCKS5)
- Supports Authenticated Proxies (HTTP Basic, SOCKS5 Username/Password)
- Supports DNS Lookups at Proxy Side