WebSurgery v1.0

WebSurgery is a suite of tools for security testing of web applications. It was designed for security auditors to help them with web application planning and exploitation.

It currently contains a spectrum of efficient, fast and stable tools such as Web Crawler with the embedded File/ Dir Brute forcer, Fuzzer (for advanced exploitation of known and unusual vulnerabilities such as SQL Injections, Cross site scripting (XSS)), Brute force (for login forms and identification of firewall-filtered rules, DOS Attacks) and WEB Proxy (to analyze, intercept and manipulate the traffic between your browser and the target web application).


Web Crawler

Web Crawler is designed to be fast, accurate, stable and completely parameterized using advanced techniques to extract links from Javascript and HTML Tags. It works with parameterized timing settings (Timeout, Threading, Max Data Size, Retries) and a number of rule parameters to prevent infinitive loops and pointless scanning (Case Sensitive, Dir Depth, Process Above/Below, Submit Forms, Fetch Indexes/Sitemaps, Max Requests per File/Script Parameters).

It is also possible to apply custom headers (user agent, cookies etc) and Include/Exclude Filters. For example, by default the crawler will scan only the initial web service (url at the specific port), however you could change the initial filter “^($protocol)://($hostport)/” to “^(http|https)://[^/]*\.test.com” to specify the whole domain site for a specific domain using regular expressions (i.e .net) (e.g. for http://test.com, https://test.com, http://www.test.com, https://something.test.com:9443 etc).

Web Crawler also includes an embedded File/Dir Brute Forcer which helps to directly brute force for files/dirs in the directories found from crawling.

Web Bruteforcer

Web Bruteforcer is a brute forcer for files and directories within the web application which helps to identify the hidden structure. As Web Crawler it us multi-threaded and completely parameterized for timing settings (Timeout, Threading, Max Data Size, Retries) and rules (Headers, Base Dir, Brute force Dirs/Files, Recursive, File’s Extension, Send GET/HEAD, Follow Redirects, Process Cookies and List generator configuration).

By default, it will brute force from root / base dir recursively for both files and directories. It sends both HEAD and GET requests when it needs it (HEAD to identify if the file/dir exists and then GET to retrieve the full response).

Web Fuzzer

Web Fuzzer is a highly advanced tool to create a number of requests based on one initial request. Fuzzer has no limits and can be used to exploit known vulnerabilities such as (blind) SQL Inections and more uncommon ways such identifying improper input handling and firewall/filtering rules.

Web Editor

A Web Editor to send individual requests. It also contains a HEX Editor for more advanced requests.

Web Proxy

Web Proxy is a proxy server running locally and will allow you to analyze, intercept and manipulate HTTP/HTTPS requests coming from your browser or other application which support proxies.




8 Responses to “WebSurgery v1.0”

  • Jorge says:

    My error
    ************** Exception Text **************
    System.TypeInitializationException: The type initializer for ‘WebSurgery.ModMisc’ threw an exception. —> System.Security.Cryptography.CryptographicException: La contrase├▒a de red especificada no es v├ílida.

  • ac1dc0de says:

    I got the same error as Jorge above, on a WinXP machine with .Net Framework 4 installed and all recent patches applied.

    This is the error in English:
    System.TypeInitializationException: The type initializer for ‘WebSurgery.ModMisc’ threw an exception. —> System.Security.Cryptography.CryptographicException: The specified network password is not correct.

  • Steven says:

    I had the same error message. It would not work.

  • root says:

    It looks like as a serious bug. I’m currently away so I will have a look as soon as I’m back and I will give an updated version.

  • root says:

    You can find already a quick fix for that at the current 0.6a version.


  • Da Devil says:

    Thanks a lot for that nice tool.

    However i sure would like to be able to resize the Settings window…


  • kai says:


    is there any chance for *nix version?


  • root says:

    Hi kai, not really by the time. Hopefully, in the future!

  • Leave a Reply to root



    March 17th



    © 2018 SuRGeoNix | Security Blog