web application – owasp_webslayer

WebSlayer is a tool designed for brute forcing Web Applications, it can be used to discover not linked resources (directories, servlets, scripts, etc), brute force GET and POST parameters, brute force Forms parameters (User/Password), Fuzzing, etc. The tools has a payload generator and a easy and powerful results analyzer to aid the tester in all the brute force tests.

https://www.owasp.org/index.php/Category:OWASP_Webslayer_Project

backtrack 5 r1

/pentest/web/webslayer

/pentest/web/webslayer# ./WebSlayer.py

WebSlayer is a tool designed for brute forcing Web Applications, it can be used to discover not linked resources (directories, servlets, scripts, etc), brute force GET and POST parameters, brute force Forms parameters (User/Password), Fuzzing, etc. The tools has a payload generator and a easy and powerful results analyzer to aid the tester in all the brute force tests.

It’s possible to perform attacks like:

Predictable resource locator (File and directories discovery)
Login forms brute force
Session brute force
Parameters brute force
Parameter fuzzing and Injection (XSS, SQL, etc)
Basic and Ntml brute forcing

Create username files and password .txt

Payload generator (tab) / Usernames (tab)
1. add users 1st name press + Add word
2. add users 2nd name press + Add word
3. press > Add generator (This creates the PUsr number that is required in stage 4.
4. under Payload Creator / Pattern (type in) [@PUsr05@]
5. Final Payload should now show name options
6. Save Payload as .txt

testing admin-panels in a website

Attack setup (tab)

1. url (type in your url inclued /FUZZ)
http://url/FUZZ

2. Headers: (type in bellow next to host place in the real url and include /FUZZ)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3) Gecko/2008020514 Firefox/3.0b3
Host:url/FUZZ
Content-Type: application/x-www/form-urlencoded

3. Payload type: Dictionary select /pentest/web/webslayer/wordlist/general/admin-panels.txt

4. Connection options (tab) Threads = 5 Time delay = 2 (Slows it down to limit chance of dos)

5. Start!

6. Attack results (tab) code 200 = good look at Payload and see if url found works.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s