« WASC Announcement: 2007 Web Application Security Statistics Published | Main | Microsoft IE8 and Google Chrome - Processes are the New Threads »

Samurai Web Testing Framework


As live CD's have become more popular, specialized distributions have begun to emerge.  One such specialty live CD is Samurai, a distribution squarely focused on web application penetration and vulnerability testing. Samurai is dubbed a "web testing framework" in much the same way that Metasploit is termed a framework.  Samurai is sponsored by IntelGuardians Network Intelligence Inc a for profit information security consulting firm based in Washington, DC.

Samurai focuses on tools needed by web application testers to look for common vulnerabilities, such as misconfigurations, cross site scripting (XSS), SQL injection, remote file inclusion and other common vulnerabilities. the CD includes several tools to reconnoiter web applications and servers, enumerate files and directories, and test scripts."


Samurai comes with a host of useful applications.  These include many of the regular Linux tools but also include:

  • Burp Suite, a web application attacking tool
  • DirBuster, an application file and directory enumeration and brute forcing tool from OWASP
  • Fierce Domain Scanner a target ennumeration utility
  • Gooscan an automated Google querying tool that is useful for finding CGI vulnerabilities without scanning the target directly, but rather querying Google's caches
  • Grendel-Scan, just released, an open source web application vulnerability testing tool
  • HTTP_Print a web server fingerprinting tool
  • Maltego CE, an open source intelligence and forensics application that does data mining to find information from the internet and link it together (great for background research on a target).
  • Nikto, an open source web server scanner
  • Paros, one of my favorite, Java based, cross platform, web application auditing and proxy tools
  • Rat Proxy, a semi-automated, passive web application security audit tool.
  • Spike Proxy, an extensible web application analyzer and vulnerability scanner.
  • SQLBrute, a SQL injection and brute forcing tool.
  • w3af (and the GUI), a web application attack and audit framework.
  • Wapiti, a web application security auditor and vulnerability scanner
  • WebScarab, an HTTP application auditing tool from OWASP
  • WebShag, a web server auditing tool
  • ZenMap, a NMAP graphical front end

Additionally Samurai includes several utilities that aren't available from the GUI menu.  These include:

  • dnswalk, a DNS query and zone transfer tool
  • httping, a ping like utility for HTTP requests
  • httrack, a website copying utility.
  • john the ripper, a password cracking program
  • netcat, a TCIP/IP swiss army knife
  • nmap, a port scanner and OS detection tool
  • siege, an HTTP stress tester and benchmarking tool.
  • snarf, a lightweight URL fetching utility"

More Info at http://www.madirish.net/?article=218


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!