SamuraiWTF 4.1.1 released: a web pen-testing environment

The Samurai Web Testing Framework (SamuraiWTF) is a live Linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.



  • Minor fixes to point to combined samurai-dojo target (instead of using submodules).


  • Base distro changed from Kubuntu to Debian (currently Stretch)
    • The built and exported OVA is 2.57GB as of the time of this post – more than 30% smaller than its zippedpredecessor.
  • Switched from KDE to OpenBox + Tint2
  • Primarily tested on VirtualBox rather than VMWare
    • There’s a commercial VMware provider for Vagrant, that we haven’t tested.
    • We have successfully exported from VBox and imported into VMWare Fusion, but it won’t have VMware tools baked in (shared folders, clipboard sharing, etc)
    • This is more a side-effect of switching to VirtualBox than it is a choice, however it has the advantage of price. VirtualBox is free. This means that using it for training at a public event, like a Security B-Sides, the students don’t need to buy a commercial VMware license to participate.
  • Targets are now setup in Docker containers behind an Nginx reverse proxy.
    • Docker wrapper has been created for the Samurai Dojo project.
    • The OWASP Juice Shop is included as well – which is a fantastic vulnerable modern web app project led by Björn Kimminich.
  • For most of the tools, it fetches the latest version during the vagrant up process.
  • The default Vagrant machine is the combined targets + desktop environment, but either one can be individually built
    • Desktop with tools to attack targets that are hosted somewhere
    • Target server to attack with tools installed on the host machine
      • This use case hasn’t been tested to any significant degree