

WebSurgery is a suite of tools that are designed for web application security testing.

It contains several web tools such as Crawler, Bruteforcer, Fuzzer, Proxy, and Editor, and also some extra functionality tools such as Scripting Filters, List Generator, and External Proxy.



There are 3 versions of WebSurgery: Non-commercial (Free) Edition, Enterprise Edition, and Consultant Edition.



The Free Edition doesn't require any license fee, but it cannot be used to scan sites of customers or third parties.



The Enterprise Edition is extended to organizations owning and operating more than one website. Ideal for small and larger organizations, this allows you to scan an unlimited number of websites. But it cannot be used to scan sites of customers or third parties.









Note: Multiple installations require multiple licenses.





The Consultant Edition is extended to organizations scanning any number of websites owned by their customers to provide them with penetration testing and vulnerability assessment services. Ideal for Security Consultants, Web Development Agencies, and ISPs.Multiple installations require multiple licenses.

Web Tools:

Crawler: It is designed to be fast, accurate, stable and completely parameterized using advanced techniques to extract links from HTML, CSS, Javascript and AJAX.

High Performance Multi-Threading and Completely Parameterized Crawler



Extracts Links from HTML / CSS / JavaScript / AJAX / XHR



Hidden Structure Identification with Embedded Bruteforcer



Parameterized Timing Settings (Timeout, Threading, Max Data Size, Retries)



Parameterized Limit Rules (Case Sensitive, Process Above / Below, Dir Depth, Max Same File / Script Parameters / Form Action File)



Parameterized Extra Rules (Fetch Indexes/Sitemaps, Submit Forms, Custom Headers)



Supports Advanced Filters with Scripting & Regular Expressions (Process, Exclude, Page Not Found, Search Filters)

Bruteforcer: For files and directories within the web application which helps to identify the hidden structure.

High Performance Multi-Threading Bruteforcer for Hidden Structure (Files / Directories)



Parameterized Timing Settings (Timeout, Threading, Max Data Size, Retries)



Parameterized Rules (Base Dir, Bruteforce Dirs / Files, Recursive, File Extension, Custom Headers)



Parameterized Advanced Rules (Send GET / HEAD, Follow Redirects, Process Cookies)



Supports Advanced Filters with Scripting & Regular Expressions (Page Not Found, Search Filters)



Supports List Generator with Advanced Rules

Fuzzer: It is a highly advanced tool to create a number of requests based on one initial request. Fuzzer has no limits and can be used to exploit (Blind) SQL Injections, Cross Site Scripting (XSS), Denial of Service (DOS), Bruteforce for Username / Password Authentication Login Forms and identification of Improper Input Handling and Firewall / Filtering Rules.

High Performance Multi-Threading Fuzzer Generates Requests based on Initial Request Template



Exploitation for (Blind) SQL Injections, Cross Site Scripting (XSS), Denial of Service (DOS), Bruteforce for Username / Password Authentication Login Forms



Identification of Improper Input Handling and Firewall / Filtering Rules



Parameterized Timing Settings (Timeout, Threading, Max Data Size, Retries)



Parameterized Advanced Rules (Follow Redirects, Process Cookies)



Supports Advanced Filters with Scripting & Regular Expressions (Stop / Reset Level, Search Filters)



Supports List Generator with Advanced Rules



Supports Multiple Lists with Different Levels

Proxy: It is a server running locally and will allow you to analyze, intercept and manipulate HTTP/HTTPS requests coming from your browser or other application which support proxies.

Proxy Server to Analyze, Intercept and Manipulate Traffic



Parameterized Listening Interface IP Address & Port Number



Supports Advanced Filters with Scripting & Regular Expressions (Process, Intercept, Match-Replace, Search Filters)

Editor: A simple Editor to send individual requests. It also contains a HEX Editor for more advanced requests.

Advanced ASCII/HEX Editor to Manipulate Individual Requets



Parameterized Timing Settings (Timeout, Max Data Size, Retries)



Automatically Fix Request (Content-Length, New Lines at End)





Extra Tools: