Offensive Web Testing Framework (OWTF), is a framework which tries to unite great tools and make pen testing more efficient @owtfp http://owtf.org
Clone or download
sharmamohit123 and viyatb feat(webapp): Implement the targets page for the new webapp
#TODO: Try using react-router to navigate across breadcrumbs
Latest commit 2dd6e7c Aug 3, 2018
Permalink
Failed to load latest commit information.
.github [misc] Removed Travis notification in the IRC Mar 29, 2016
bin fix(#991): Make the main function simple - move sys.argv inside Jul 13, 2018
debian [reboot] Turning OWTF into a Python package (#875) Aug 29, 2017
docker fix(#992): Configure webpack to build assets in ~/.owtf Aug 2, 2018
docs refactor: initial black reformatting Apr 27, 2018
owtf feat(webapp): Implement the targets page for the new webapp Aug 2, 2018
requirements fix: Fix the Docker Compose files, modularize requirements Aug 2, 2018
scripts fix: DB creation and manage commands Aug 2, 2018
tests refactor: initial black reformatting Apr 27, 2018
.dockerignore [reboot] Turning OWTF into a Python package (#875) Aug 29, 2017
.editorconfig rename webui to webapp Feb 9, 2018
.gitattributes [isort] Fix all imports using isort Mar 4, 2018
.gitignore chore: Miscellaneous fixes and adding the report page May 24, 2018
.pre-commit-config.yaml feat: Replace yapf git hook with pre-commit and black code formatter Apr 27, 2018
.travis.yml fix: Use Travis's postgres service Aug 1, 2018
AUTHORS.md [misc] Renames AUTHORS to AUTHORS.md Mar 19, 2017
CHANGELOG.md [reboot] Turning OWTF into a Python package (#875) Aug 29, 2017
CODE_OF_CONDUCT.md chore: Fix merge conflicts Aug 2, 2018
CONTRIBUTING.md [reboot] Turning OWTF into a Python package (#875) Aug 29, 2017
LICENSE.md chore: Bump year in the license May 6, 2018
MANIFEST.in fully ported installation steps Feb 9, 2018
Makefile fix: Fix the Docker Compose files, modularize requirements Aug 2, 2018
README.md chore: Fix merge conflicts Aug 2, 2018
setup.cfg refactor: Remove unnecessary bumpversion cfg file Apr 18, 2018
setup.py fix: Fix the Docker Compose files, modularize requirements Aug 2, 2018
tox.ini fix(tests, core): Most tests working and general use of Blinker signa… Mar 19, 2018

README.md

Offensive Web Testing Framework

Build Status License (3-Clause BSD) python_2.7 python_3.6

OWASP OWTF is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST so that pentesters will have more time to

  • See the big picture and think out of the box
  • More efficiently find, verify and combine vulnerabilities
  • Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions
  • Perform more tactical/targeted fuzzing on seemingly risky areas
  • Demonstrate true impact despite the short timeframes we are typically given to test.

The tool is highly configurable and anybody can trivially create simple plugins or add new tests in the configuration files without having any development experience.

Note: This tool is however not a silverbullet and will only be as good as the person using it: Understanding and experience will be required to correctly interpret tool output and decide what to investigate further in order to demonstrate impact.

Requirements

OWTF is developed on KaliLinux and macOS but it is made for Kali Linux (or other Debian derivatives)

OWTF supports both Python2 and Python3.

Installation

Recommended:

Using a virtualenv is highly recommended!

Manually set up the database

Replace the variables db_name, $db_user and $db_pass with values from the settings.py file. Make sure the values are exactly the same.

  • Start the postgreSQL server,

    • macOS: brew install postgresql and pg_ctl -D /usr/local/var/postgres start
    • Kali: sudo systemctl enable postgresql; sudo systemctl start postgresql or sudo service postgresql start
  • Create the owtf_db_user user,

    • macOS: psql postgres -c "CREATE USER $db_user WITH PASSWORD '$db_pass';"
    • Kali: sudo su postgres -c "psql -c \"CREATE USER $db_user WITH PASSWORD '$db_pass'\""
  • Create the database,

    • macOS: psql postgres -c "CREATE DATABASE $db_name WITH OWNER $db_user ENCODING 'utf-8' TEMPLATE template0;"
    • Kali: sudo su postgres -c "psql -c \"CREATE DATABASE $db_name WITH OWNER $db_user ENCODING 'utf-8' TEMPLATE template0;\""

pip install git+https://github.com/owtf/owtf#egg=owtf or clone the repo and python setup.py develop.

If you want to change the database password in the Docker Compose setup, edit the environment variables in the docker-compose.yml file.

To run OWTF on Windows or MacOS, OWTF uses Docker Compose. You need to have Docker Compose installed (check by docker-compose -v). After installing Docker Compose, simply run make compose and open localhost:8009 for the OWTF web interface.

Install on OSX

Dependencies: Install Homebrew (https://brew.sh/) and follow the steps given below:

$ virtualenv <venv name>
$ source <venv name>/bin/activate
$ brew install coreutils gnu-sed openssl
# We need to install 'cryptography' first to avoid issues
$ pip install cryptography --global-option=build_ext --global-option="-L/usr/local/opt/openssl/lib" --global-option="-I/usr/local/opt/openssl/include"
$ git clone <this repo>
$ cd owtf
$ python setup.py install
# Run OWTF!
$ owtf

Features

  • Resilience: If one tool crashes OWTF, will move on to the next tool/test, saving the partial output of the tool until it crashed.
  • Flexible: Pause and resume your work.
  • Tests Separation: OWTF separates its traffic to the target into mainly 3 types of plugins:
    • Passive : No traffic goes to the target
    • Semi Passive : Normal traffic to target
    • Active: Direct vulnerability probing
  • Extensive REST API.
  • Has almost complete OWASP Testing Guide(v3, v4), Top 10, NIST, CWE coverage.
  • Web interface: Easily manage large penetration engagements easily.
  • Interactive report:
  • Automated plugin rankings from the tool output, fully configurable by the user.
  • Configurable risk rankings
  • In-line notes editor for each plugin.

License

Checkout LICENSE

Code of Conduct

Checkout Code of Conduct

Links