Category:OWASP Webslayer Project

Revision as of 17:13, 2 November 2008 by Cmartorella (talk | contribs)

Jump to: navigation, search

Click here to return to OWASP Projects page.
Click here to see (& edit, if wanted) the template.

OWASP Inactive Banner.jpg
Project Name OWASP Webslayer Project
Short Project Description

WebSlayer is a tool designed for brute forcing Web Applications, it can be used to discover not linked resources (directories, servlets, scripts, etc), brute force GET and POST parameters, brute force forms parameters (User/Password), fuzzing, etc.

The tools has a powerful payload generator and a easy and flexible results analyzer.

Email Contacts Project Leader
Christian Martorella
Project Contributors
Carlos del Ojo
Mailing List/Subscribe
Mailing List/Use
First Reviewer
Andres Andreu
Second Reviewer
OWASP Board Member
(if applicable)

- The tool's url

  • If any, add link.
Sponsor name, if applicable Guidelines/Roadmap
Review/Reviewer Author's Self Evaluation
(applicable for Alpha Quality & further)
First Reviewer
(applicable for Alpha Quality & further)
Second Reviewer
(applicable for Beta Quality & further)
OWASP Board Member
(applicable just for Release Quality)
First Review Objectives & Deliveries reached?
Not yet (To update)
Which status has been reached?
Alpha Status - (To update)
See&Edit: First Review/SelfEvaluation (A)
Objectives & Deliveries reached?
Not yet (To update)
Which status has been reached?
Alpha Status - (To update)
See&Edit: First Review/1st Reviewer (B)
Objectives & Deliveries reached?
Yes/No (To update)
Which status has been reached?
Alpha Status - (To update)
See&Edit: First Review/2nd Reviewer (C)
Objectives & Deliveries reached?
Yes/No (To update)
Which status has been reached?
Alpha Status - (To update)
See/Edit: First Review/Board Member (D)


WebSlayer is a tool designed for bruteforcing Web Applications, it can be used for finding not linked resources (directories, servlets, scripts, etc), bruteforce GET and POST parameters, bruteforce Forms parameters (User/Password), Fuzzing, etc. The tools has a payload generator and a easy and powerful results analyzer.

It's possible to perform attacks like:

  • Predictable resource locator (File and directories discovery)
  • Login forms brute force
  • Session brute force
  • Parameters brute force
  • Parameter fuzzing and Injection (XSS, SQL, etc)
  • Basic and Ntml Bruteforcing


Some features are:

  • Encodings: 15 encodings supported
  • All parameters attack: the tool will inject the payload in every parameter (Headers, Get, Post)
  • Authentication: Webslayer supports Ntml and Basic authentication, also you can brute force the authentication
  • Multiple payloads: you can use 2 paylods in different parts
  • Proxy support (authentication supported)
  • Live filters: You can change the filters as the attack is taking place
  • Multiple threads: You can set how many threads to use in the attack
  • Session import/export: Allows you to save the session and to continue working with the results
  • Integrated web browser: a full fledge webkit browser is included to analyze the results
  • Predefined dictionaries for predictable resource location, based on known servers (Thanks to Dark Raver,
  • Payload Generator (custom payload generator)

For Resource Location prediction

  • Recursion: When discovering directories, you can set how deep to go
  • Non standard code error checking: Webslayer will detect NoN Standard Code, to avoid presenting trash results
  • Extensions: You can add a list of extensions to try with a dictionary

Results analysis

The power of Webslayer resides in the way you can work with the results, for every attack you will have all the responses, and for each ; request you will have:

  • Html results
  • Source code
  • Headers
  • Web browser view (it will replay the request via the browser)

Multiple filters for improving the performance and for producing better results for the analyst

  • Return Code
  • Characters length
  • Words length
  • Lines length
  • MD5
  • Regular expression

Webslayer will maintain all the attacks in the session so you can work with them, compare, check later, etc.


Getting Started


At the moment WebSlayer is available only for Windows platform as an installable, the source code will be available in the next release. You can download the latest version from Google Code, and the current version has no dependencies.

Grab the latest version from here:


There is a basic installation needed, just double click, select destination folder and it's done.

Launching a basic attack

First of all, you must understand that the tool is based in replacing the Keyword "FUZZ" or "FUZ2Z" by the payload that you have chosen.

So lets start using the application for discovering directories in a website:

  • 1- In the Attack tab, insert the website URL that you want to brute force, with the keyword FUZZ in the end so WebSlayer will insert the content of the payload in that position. Eg:
  • 2- Next we are going to choose the payload type, we will leave "Dictionary", and we are going to choose a dictionary file, in this case i recommend to use the file "common.txt", which is located in the wordlists folder.
  • 3- Now click the "Start attack" button

Contacting us

There are two ways of getting information on WebSlayer. The mailing list, and contacting the project lead directly.

Mailing list:

For content which is not appropriate for the public mailing list, you can alternatively contact Christian Martorella, at [cmartorella] at the []


  • a) Once a panel is detached how can i attach it again?
      You can attach the panel again by double clicking on the title bar

Project Contributors

The WebSlayer project is run by Christian Martorella and Carlos del Ojo from Edge-Security

Pages in category "OWASP Webslayer Project"

This category contains only the following page.