Skip to content

Releases: owtf/owtf


16 Mar 17:09
Choose a tag to compare
Bump version: 2.5.0 → 2.6.0


28 Mar 05:02
Choose a tag to compare

This release includes more fixes and improvements to the overall OWTF installation on different platforms. It also includes fixes to port OWTF from Python2 to Python3, running PostgreSQL database (with persistence) in a Docker container, and a couple of improvements to the web interface (in progress).


16 May 01:26
Choose a tag to compare
  • Update the pyscopg2-binary package and fix the Docker build.


02 Apr 23:01
Choose a tag to compare

This release is purely to fix existing bugs in the master branch (feature freeze). This release includes:

  • Proxy and transaction logger bug fixes
  • Nikto plugin and SSLabs scan plugin fixes
  • Update ptp dependency to the latest version
  • Dockerfile fixes
  • Bug fixes to config parsing and duplicate keys in the framework_config.cfg and general.cfg.
  • Fixes tool paths and ~/.owtf from being overwritten every install
  • Remove cached git submodule committed in error.

For complete changelog, refer to v2.3b...v2.3. Stay tuned to a bigger, better and polished OWTF release coming soon!


25 Oct 12:44
Choose a tag to compare
MacinOWTF Pre-release

This pre-release adds native support for OWTF on macOS. It makes development much easier to do and also allows users to deploy and run the tool without using Docker on macOS.

This release also fixes some nasty zombie process related bugs and restructures the Tornado handlers to be in a dedicated module.

Rolling Reboot

25 Oct 12:42
Choose a tag to compare
Rolling Reboot Pre-release

The release is a major milestone towards the distributed architecture. The release makes OWTF into a Python package with code with Python 2/3 compatibility.

  • The new web interface was moved to its separate directory. OWTF is deprecating the old method of rendering templates using Tornado.

  • Completely removed Zest, PlugnHack, WafBypasser and Proxy miner support. We need addons support in OWTF so that optional features can be easily plugged in.

  • Renamed configuration to conf to separate it from the other config folder.

  • The OWTF current install runs a post installation step in python install. The PR removes the virtualenv setup completely, since now it is the user's job to run python install in a separate virtualenv for maximum compatibility.

  • Added Sphinx docstrings to almost every function and module in OWTF

  • Convert all function names to snake case.

  • All code is now compatible with Python3 and Python2

  • Fixed tests

  • Refactor installation method to install everything to ~/.owtf.

  • Add Debian packaging scripts

  • Better Makefile

  • Create a new virtualenv, virtualenv and activate the environment.

  • Go into OWTF directory and run python install which install OWTF as a package and starts the postsetup install script.

NOTE: if the user wants to run OWTF in developer mode, they need to set an environment variable, export OWTF_DEV=1
To run OWTF, make a new folder for your target engagement, and run OWTF as python -m owtf.

After this, OWTF should no longer be responsible for

  • running Postgresql on startup (user's job!)
  • virtualenv management (users should use it by default for separate projects)

OWTF 2.1a Chicken Korma

25 Apr 21:39
Choose a tag to compare

If you are already on the develop branch , you can directly pull the latest changes.

This release includes many stability and bug fixes. The entire codebase has been refactored to PEP8 (with some custom checks and modified requirements) standards.

New features

  • A revamped installation process, using virtualenv.
  • Moved all user configuration to ~/.owtf/<configuration>.
  • Added a Dockerfile to test OWTF on unsupported systems (macOS and Windows).

Bug fixes

  • Removes old / unused / dead code.
  • Lots of PEP-8 changes.
  • Resolves an old proxy bug in e1ba544.
  • Fixes Nikto script SSL handling
  • Resolves many proxy SSL errors
  • Fixed severity labels in the UI
  • Improved helper scripts for setting up OWTF
  • Fixed Debian installation scripts to point to Kali rolling.
  • Fixed SIGINT errors in SSL testing scripts.
  • Deprecate support for SamuraiWTF distribution.

View the full changelog here.

OWTF 2.0a Tikka Masala

14 May 03:52
Choose a tag to compare

IMPORTANT: Migrating from 1.0.1 to 2.0a includes breaking changes and requires a complete DB clean and initialisation - use the installer and the script scripts/ to do that.
NOTE: This will delete all OWTF data from the database, so take a backup if you want ;)
bash scripts/ clean
bash scripts/ init
python install/

If you are already on the develop branch , you can directly pull the latest changes.

This release includes many new features and countless bug fixes. This release would not have been possible without the help of a number of pre-GSoC contributors, mentors, and everybody who sent us cool ideas, feedback or reported bugs. In particular, this release is dedicated to our Indian contributors without whom this release would not have been possible.

Important Features and fixes

  • Kali 2.x support
  • Functional tests suite included => build passing(!) <=> Tao Sauvage (@DePierre)
  • Progress bar added to the web interface <=> Anshul Singhal (@saganshul)
  • HTTPrint signatures updated <=> Rahul Pratap Singh (@RahulPratapSingh)
  • Updated CMS Explorer lists <=> Viyat Bhalodia (@delta24)
  • Minimal auxiliary plugin support added back <=> Amit Gupta (@Darknight--)
  • SSL Labs API integration <=> Pau Ferrer Cid (@paute)
  • Resolves SQLAlchemy deadlock and improved proxy handling <=> Viyat Bhalodia (@delta24)
  • Fixes all Metasploit plugin functionality <=> Amit Gupta (@Darknight--)
  • General UI improvements <=> Ayush Singh (@DoomTaper), Anshul Singhal (@saganshul), Sachin Kamath (@SachinKamath)
  • CWE and OWASP Top 10 mappings <=> Amit Gupta (@Darknight--)
  • Improved worker UI controls = adds Pause All, Resume All functionality <=> Viyat Bhalodia (@delta24)
  • Supports Debian-based distributions <=> Wes Renshaw (@C0smos), Karan Desai (@karandesai-96), Sachin Kamath (@SachinKamath)

Full Changelog

Implemented enhancements:

  • xxx_testgroups.cfg should be moved to /profiles #670
  • OWTF takes few steps to start #638
  • Session Modal breaks for large session names #635
  • Check for tools before running commands #632
  • Adding Issue and Pull Request templates #599
  • Debian and Samurai install scripts are not executable. #573
  • Increase readability of manual installation output on terminal. #564
  • Installer Issues #534
  • Passive google searches should use @@@Domain@@@ instead of @@@host_path@@@ #529
  • Increase proxy CA security #526
  • Add to the passive search #523
  • install/ skip sudo password #519
  • Using a remote server #510
  • potential command to add to the install scripts (develop branch) #473
  • Timestamps not present in transaction log #472
  • Evaluate the possible implementation of JS templating for all client-side OWTF interactions #467
  • External XSS plugin resource: XSS Payloads #466
  • What is the hurdle in doing passive scan's #464
  • Rank should collapse the plugin, at least in some cases #459
  • Suggested improvements for the transaction log #458
  • Integration with punk spider for passive tests #457
  • Clean up colours from various tools prior to saving it in a file #456
  • Export targets feature (UI) #454
  • Lack of filters on target page (UI) #453
  • Improve curl commands #446
  • CPU spikes: Lack of Indexing on OWTF db? #444
  • Add “Pause All / Resume All” to the worker monitoring #440
  • Review OWTF CPU usage post-DirBuster #437
  • Smarter Runner #430
  • Unable to “delete all” from worklist on UI #427
  • OWTF should check if postgresql client is installed as well #413
  • External Command Injection plugin link #412
  • Mobile responsive #406
  • [develop] OWTF should start NET plugins when target is an IP #375
  • ImportError: No module named backports.ssl_match_hostname #374
  • Settings > HTTP AUTH #369
  • Setup gemnasium #358
  • Worklist search boxes should not be case sensitive #355
  • Automated Bug reporter improvement #352
  • Possible improvement for the UI worker buttons #350
  • Minor intuitiveness improvements #349
  • Arachni changed from --user-agent to --http-user-agent #347
  • Ensure running postgres before running install script #337
  • Issues on Ubuntu #334
  • OWTF should check if postgres is running #311
  • [zest] Updating the zest jars #293
  • [wapiti] HTML report is not available anymore #287
  • Display logs in the webUI #271
  • Installed Tool Validation Project #249
  • Run plugins pop up window improvement (UI branch) #243
  • Generate script for creating CA custom OpenVAS during installation #170
  • Explore CMS-Explorer dictionary alternatives for best results #119
  • Moving external plugin reports away from targets subreports #111
  • Check if the service that is going to be scanned speaks HTTP before launching ANY web test #108
  • Form-based authentication #90
  • owtf auto-update option #31
  • filter by severity feature added #576 (saganshul)

Fixed bugs:

  • PostgreSQL Fix in should use SHOW config_file; #669
  • PostgreSQL Fix in restarts postgresql daemon in any case #668
  • ConfigDB silently fails when default.cfg not found #666
  • Bash 'which' error in script #662
  • Improper Set-Cookie header handling in proxy #582
  • Same rank cannot be given to a plugin twice #570
  • Listing plugins option (-l) not working #556
  • Plugin Filter Display not working properly #547
  • Proxy errors (silent) in logs #528
  • Workers do not pick items from worklist #527
  • Unable to open directory from browser #525
  • Error calling make_dirs when a long URL is passed #521
  • [develop] plugin getting stuck stops the whole scan... #515
  • Getting error while running plugins. Error "Oops! Server replied: Bad Request" #481
  • The grep stats for header matche percent are incorrect #470
  • UI doesn't cope with multiple simultaneous tabs / actions? :P #455
  • CPU spikes: Lack of Indexing on OWTF db? #444
  • Bug - "Ops unable to add some targets” #443
  • BUG in “Testing For Ssl-Tls” plugin in latest Kali #442
  • Directory Brute-forcing should be towards the end of the scan #441
  • postgres “idle in transaction” processes occasionally spike CPU usage #438
  • Ocassional Crash after running skipfish #435
  • Occassional failure to close children processes #434
  • Target shuffling #433
  • Bug in MiTM proxy Cookie parser #428
  • Unreasonable use of CPU/memory by postgres / owtf processes #426
  • Nikto plugin not realising when nikto has finished [#422](https://g...
Read more

OWTF 1.0.1 Lionheart

14 Oct 21:32
Choose a tag to compare
  • Fixed a major installation bug caused due to wrong handling of requirements by pip

OWTF 1.0 Lionheart

05 Oct 14:20
Choose a tag to compare

Updated version name and added GSoC participants