Menu

WebSlayer-en




WebSlayer

Phase(s):

Primary: Exploitation.
Secondary: N/A.

Description:

Tool that performs brute force attack combined with fuzzing techniques, thus enabling the exploitation of vulnerable parameters and headers through POST and GET methods.

Objective:

  • Exploit vulnerabilities present on web application through fuzzing techniques.

Features:

Supported technologies: Web applications (HTTP/HTTPS).

Operative mode: Active.

Exploit vulnerabilities present on web application through fuzzing techniques.

  • Support for both basic and NTML authentication.
  • Offers 15 different coding types.
  • Support for session management.
  • Customizable payloads:
    • Regular expressions.
    • Range of words.
    • Permutation of characters.
    • Logins from people's names.
    • Credit Card numbers.
  • Capabilities to perform a separated fuzzing over two different parameters with different list of words.

Reports:
Output reports:

  • Merge report from the exploitation and data mining in TXT and XML format.

    Basic usage:

    Perform a brute force attack on a web application login page. Start the tool and on the “Applications” menu provide the following information:

    • Web application login URL address.
    • HTTP headers to be included on the petition.
    • Parameters to be sent along the petition either through GET/POST method.
    • List of word to be used in the brute force attack.

    Include the fuzzer identifier “FUZZ” or “FUZ2Z” on the required parameters to be included on the brute force attack.

    Once the configuration is done, press the “Start attack” button to initiate the brute force attack. In the progress bar will be displayed the status of the attack for the number of word being tested and the remaining ones.

    When the attack finishes, on the progress bar will be displayed the message “Attack finished OK”.
    The results will be displayed under each one of the list of words, including the results which were successful at accessing the web application.

    On the “Logs” tab additional information will be presented such start and end of the attack, list of words used for the attack, URL, etc.

    Resources:

    Link: https://www.owasp.org/index.php/Category:OWASP_Webslayer_Project.
    Author(s): Christian Martorella
    Contact: owasp-Webslayer-project [at] lists.owasp.org
    License: GPL v 2.0.