WebSlayer is a tool designed for bruteforcing Web Applications, it can be used for finding not linked resources (directories, servlets, scripts, etc), bruteforce GET and POST parameters, bruteforce Forms parameters (User/Password), Fuzzing, etc. The tools has a payload generator and a easy and powerful results analyzer.

The tool works with "payloads", and you must define where the payload must be inserted in the request. Once the payload is inserted the tool will generate all the request and then perform the attack. The results of the attacks will have a lot of information useful for the tester to sort the responses and make decisions.

It was created to facilitate the task in Web Applications assessments, it's a tool by pentesters for pentesters ;)

Official Site at OWASP WebSlayer Project
It's possible to perform attacks like:

• Predictable resource locator: it can find directories and scripts based on well known dictionaries, recursion supported
• Login forms brute force
• Session brute force
• Parameter brute force
• Parameter Injection (XSS, SQL, etc)
• Basic and Ntml Bruteforcing  

• Encodings: 15 encodings supported
• All parameters attack: the tool will inject the payload in every parameter
• Authentication: supports Ntml and Basic
• Multiple payloads: you can use 2 paylods in different parts
• Proxy support (authentication supported)
• For predictable resource location it has: Recursion, common extensions, non standard code detection
• Multiple filters for improving the performance and for producing cleaner results
• Live filters
• Threads
• Session export
• Integrated browser (webKit)
• Predefined dictionaries for predictable resource location, based on known servers (Thanks to Dark Raver, www.open-labs.org)

The tool is based on payloads, you choose where you want to bruteforce just by replacing the part of the URL or the POST by the keyword FUZZ.

The power of Webslayer resides in the way you can work with the results, for every attack you will have all the responses, and for each ;request you will have:

• Html results
• Source code
• Headers

• Return code
• Length
• Words
• Lines
• MD5
• Regular expressions
• Also you can filter response with common errors in it (errors that we define),
  

• Numeric ranges
• User Names
• Credit cards numbers
• Characters blocks
• And wathever you can imagine..

Double Urlencode 

Base 64 

Uri Hexadecimal

Random upper 

Double nibble hexa

SHA1

MD5

Binary Ascii 

Html Decimal

Html Hexadecimal

UTF-8 Binary

UTF-8 

Mysql char 

MSsql char

1. Set the URL with the FUZZ keyword
2. Select the dictionary file  (in the example common.txt)
3. Set recursion level if you want
4. Set the number of threads (you can experiment with this)
5. Set extensions. If you want to add extensions to the dictionary, you can do it here (think that you have to multiply the dictionary length by the number of extensions, could get real big the attack, but if you have time is ok ;)
6. Non Standard Code Detection: makes a check to verify if the server has a Non Standard Code, we ask for a inexistent word and check the response, if we get anything different from 404, we discard all the responses with that code.
7. You can change the User-Agent, but this is ok.
8. Then Launch

Login form bruteforce:

So we are using 2 payloads, for the first one we use the dictionary names.txt and for the second the dictionary common_pass.txt, beware of the length of the final dictionary, because it will pass the second dictionary for every word in the first dictionary, so if we have one dictionary with 10 words and the other with 100, we will have an  attack of 1000 requests.

Source code will be available ASAP in Google Code

Linux You can run the tool in linux that have the python-qt package with support for WebKit. Right now im aware that Debian Unstable, has the package. UpdateUbuntu 8.10 has the python-qt4 with WebKit support.