Samurai Web Testing Framework

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

Development Release

The Samurai project team is happy to announce the release of a development version of the Samurai Web Testing Framework. This release is currently a fully functional linux environment that has a number of the tools pre-installed. Our hope is that people who are interested in making this the best live CD for web testing will provide feedback for what they would like to see included on the CD.

The project team has also created a mailing list for conversatoin regarding the project and its direction. We welcome all interested people in joining us there. The project is also open to volunteers who would like to assist us in building this project.

The Ultimate Pen Test: Combining Network and Web App Techniques for World Domination

Monday, September 29 * 7:00pm - 9:00pm
, Ed Skoudis and Kevin Johnson
, SANS Network Security 2008 Keynotes

Most penetration tests are focused on either network attacks or web application attacks. Given this separation, many pen testers themselves have understandably followed suit, specializing in one type of test or the other. While such specialization is a sign of a vibrant, healthy penetration testing industry, tests focused on only one of these aspects of a target environment often miss the real business risks of vulnerabilities discovered and exploited by determined and skilled attackers. By combining web app attacks such as SQL injection, Cross-Site Scripting, and Remote File Includes with network attacks such as port scanning, service compromise, and client-side exploitation, the bad guys are significantly more lethal. Penetration testers and the enterprises who use their services need to understand these blended attacks and how to measure whether they are vulnerable to them. This session provides practical examples of penetration tests that combine such attack vectors, and real-world advice for conducting such tests against your own organization.

Project Team

Project Leads

  Kevin Johnson

Kevin Johnson is a Senior Security Analyst with InGuardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E. (the Basic Analysis and Security Engine) project. The BASE project is the most popular web interface for the Snort intrusion detection system. Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including Infragard, ISACA, ISSA and the University of Florida.

  Justin Searle

Justin Searle is a Senior Security Analyst with InGuardians. He specializes in network security architecture, penetration testing, and PCI compliance. Prior to InGuardians, Justin served as the IT Security Architect for JetBlue Airways. Justin helped secure their telecommuters' virtual call center and re-design the airline's infrastructure to help towards PCI compliance. He has also provided top-tier support for some of the largest supercomputers in the world. Justin has taught courses in hacking techniques, intrusion detection, forensics and Cisco networking at both ITT Technical Institute and New Horizons. Justin has presented at a number of security conferences, including ToorCon and the SANS Institute Pentesters Summit. Justin has an MBA in International Technology, as well as both the CISSP and SANS GCIH certifications.

Team Members

  Frank DiMaggio

About Samurai

Samurai Web Testing Framework
Web penetration testing live CD built on open source software.