Skip to content
Mar 28, 2019
Bump version: 2.5.0 → 2.6.0

@viyatb viyatb released this Mar 28, 2019 · 13 commits to develop since this release

This release includes more fixes and improvements to the overall OWTF installation on different platforms. It also includes fixes to port OWTF from Python2 to Python3, running PostgreSQL database (with persistence) in a Docker container, and a couple of improvements to the web interface (in progress).

Assets 2

@viyatb viyatb released this May 16, 2018 · 3 commits to master since this release

  • Update the pyscopg2-binary package and fix the Docker build.
Assets 2

@viyatb viyatb released this Apr 2, 2018 · 4 commits to master since this release

This release is purely to fix existing bugs in the master branch (feature freeze). This release includes:

  • Proxy and transaction logger bug fixes
  • Nikto plugin and SSLabs scan plugin fixes
  • Update ptp dependency to the latest version
  • Dockerfile fixes
  • Bug fixes to config parsing and duplicate keys in the framework_config.cfg and general.cfg.
  • Fixes tool paths and ~/.owtf from being overwritten every install
  • Remove cached git submodule committed in error.

For complete changelog, refer to v2.3b...v2.3. Stay tuned to a bigger, better and polished OWTF release coming soon!

Assets 2
Pre-release
Pre-release

@viyatb viyatb released this Oct 25, 2017 · 20 commits to master since this release

This pre-release adds native support for OWTF on macOS. It makes development much easier to do and also allows users to deploy and run the tool without using Docker on macOS.

This release also fixes some nasty zombie process related bugs and restructures the Tornado handlers to be in a dedicated module.

Assets 2
Pre-release
Pre-release

@viyatb viyatb released this Oct 25, 2017 · 303 commits to develop since this release

The release is a major milestone towards the distributed architecture. The release makes OWTF into a Python package with code with Python 2/3 compatibility.

  • The new web interface was moved to its separate directory. OWTF is deprecating the old method of rendering templates using Tornado.

  • Completely removed Zest, PlugnHack, WafBypasser and Proxy miner support. We need addons support in OWTF so that optional features can be easily plugged in.

  • Renamed configuration to conf to separate it from the other config folder.

  • The OWTF current install runs a post installation step in python setup.py install. The PR removes the virtualenv setup completely, since now it is the user's job to run python setup.py install in a separate virtualenv for maximum compatibility.

  • Added Sphinx docstrings to almost every function and module in OWTF

  • Convert all function names to snake case.

  • All code is now compatible with Python3 and Python2

  • Fixed tests

  • Refactor installation method to install everything to ~/.owtf.

  • Add Debian packaging scripts

  • Better Makefile

  • Create a new virtualenv, virtualenv and activate the environment.

  • Go into OWTF directory and run python setup.py install which install OWTF as a package and starts the postsetup install script.

NOTE: if the user wants to run OWTF in developer mode, they need to set an environment variable, export OWTF_DEV=1
To run OWTF, make a new folder for your target engagement, and run OWTF as python -m owtf.

After this, OWTF should no longer be responsible for

  • running Postgresql on startup (user's job!)
  • virtualenv management (users should use it by default for separate projects)
Assets 2

@viyatb viyatb released this Apr 25, 2017 · 434 commits to develop since this release

If you are already on the develop branch , you can directly pull the latest changes.

This release includes many stability and bug fixes. The entire codebase has been refactored to PEP8 (with some custom checks and modified requirements) standards.

New features

  • A revamped installation process, using virtualenv.
  • Moved all user configuration to ~/.owtf/<configuration>.
  • Added a Dockerfile to test OWTF on unsupported systems (macOS and Windows).

Bug fixes

  • Removes old / unused / dead code.
  • Lots of PEP-8 changes.
  • Resolves an old proxy bug in e1ba544.
  • Fixes Nikto script SSL handling
  • Resolves many proxy SSL errors
  • Fixed severity labels in the UI
  • Improved helper scripts for setting up OWTF
  • Fixed Debian installation scripts to point to Kali rolling.
  • Fixed SIGINT errors in SSL testing scripts.
  • Deprecate support for SamuraiWTF distribution.

View the full changelog here.

Assets 2

@viyatb viyatb released this May 14, 2016 · 605 commits to develop since this release

IMPORTANT: Migrating from 1.0.1 to 2.0a includes breaking changes and requires a complete DB clean and initialisation - use the installer and the script scripts/db_setup.sh to do that.
NOTE: This will delete all OWTF data from the database, so take a backup if you want ;)
bash scripts/db_setup.sh clean
bash scripts/db_setup.sh init
python install/install.py

If you are already on the develop branch , you can directly pull the latest changes.

This release includes many new features and countless bug fixes. This release would not have been possible without the help of a number of pre-GSoC contributors, mentors, and everybody who sent us cool ideas, feedback or reported bugs. In particular, this release is dedicated to our Indian contributors without whom this release would not have been possible.

Important Features and fixes

  • Kali 2.x support
  • Functional tests suite included => build passing(!) <=> Tao Sauvage (@DePierre)
  • Progress bar added to the web interface <=> Anshul Singhal (@saganshul)
  • HTTPrint signatures updated <=> Rahul Pratap Singh (@RahulPratapSingh)
  • Updated CMS Explorer lists <=> Viyat Bhalodia (@delta24)
  • Minimal auxiliary plugin support added back <=> Amit Gupta (@Darknight--)
  • SSL Labs API integration <=> Pau Ferrer Cid (@pauTE)
  • Resolves SQLAlchemy deadlock and improved proxy handling <=> Viyat Bhalodia (@delta24)
  • Fixes all Metasploit plugin functionality <=> Amit Gupta (@Darknight--)
  • General UI improvements <=> Ayush Singh (@DoomTaper), Anshul Singhal (@saganshul), Sachin Kamath (@sachinkamath)
  • CWE and OWASP Top 10 mappings <=> Amit Gupta (@Darknight--)
  • Improved worker UI controls = adds Pause All, Resume All functionality <=> Viyat Bhalodia (@delta24)
  • Supports Debian-based distributions <=> Wes Renshaw (@C0smos), Karan Desai (@karandesai-96), Sachin Kamath (@sachinkamath)

Full Changelog

Implemented enhancements:

  • xxx_testgroups.cfg should be moved to /profiles #670
  • OWTF takes few steps to start #638
  • Session Modal breaks for large session names #635
  • Check for tools before running commands #632
  • Adding Issue and Pull Request templates #599
  • Debian and Samurai install scripts are not executable. #573
  • Increase readability of manual installation output on terminal. #564
  • Installer Issues #534
  • Passive google searches should use @@@Domain@@@ instead of @@@host_path@@@ #529
  • Increase proxy CA security #526
  • Add https://censys.io/ to the passive search #523
  • install/install.py skip sudo password #519
  • Using a remote server #510
  • potential command to add to the install scripts (develop branch) #473
  • Timestamps not present in transaction log #472
  • Evaluate the possible implementation of JS templating for all client-side OWTF interactions #467
  • External XSS plugin resource: XSS Payloads #466
  • What is the hurdle in doing passive scan's #464
  • Rank should collapse the plugin, at least in some cases #459
  • Suggested improvements for the transaction log #458
  • Integration with punk spider for passive tests #457
  • Clean up colours from various tools prior to saving it in a file #456
  • Export targets feature (UI) #454
  • Lack of filters on target page (UI) #453
  • Improve curl commands #446
  • CPU spikes: Lack of Indexing on OWTF db? #444
  • Add “Pause All / Resume All” to the worker monitoring #440
  • Review OWTF CPU usage post-DirBuster #437
  • Smarter Runner #430
  • Unable to “delete all” from worklist on UI #427
  • OWTF should check if postgresql client is installed as well #413
  • External Command Injection plugin link #412
  • Mobile responsive #406
  • [develop] OWTF should start NET plugins when target is an IP #375
  • ImportError: No module named backports.ssl_match_hostname #374
  • Settings > HTTP AUTH #369
  • Setup gemnasium #358
  • Worklist search boxes should not be case sensitive #355
  • Automated Bug reporter improvement #352
  • Possible improvement for the UI worker buttons #350
  • Minor intuitiveness improvements #349
  • Arachni changed from --user-agent to --http-user-agent #347
  • Ensure running postgres before running install script #337
  • Issues on Ubuntu #334
  • OWTF should check if postgres is running #311
  • [zest] Updating the zest jars #293
  • [wapiti] HTML report is not available anymore #287
  • Display logs in the webUI #271
  • Installed Tool Validation Project #249
  • Run plugins pop up window improvement (UI branch) #243
  • Generate script for creating CA custom OpenVAS during installation #170
  • Explore CMS-Explorer dictionary alternatives for best results #119
  • Moving external plugin reports away from targets subreports #111
  • Check if the service that is going to be scanned speaks HTTP before launching ANY web test #108
  • Form-based authentication #90
  • owtf auto-update option #31
  • filter by severity feature added #576 (saganshul)

Fixed bugs:

  • PostgreSQL Fix in db_setup.sh should use SHOW config_file; #669
  • PostgreSQL Fix in db_setup.sh restarts postgresql daemon in any case #668
  • ConfigDB silently fails when default.cfg not found #666
  • Bash 'which' error in db_setup.sh script #662
  • Improper Set-Cookie header handling in proxy #582
  • Same rank cannot be given to a plugin twice #570
  • Listing plugins option (-l) not working #556
  • Plugin Filter Display not working properly #547
  • Proxy errors (silent) in logs #528
  • Workers do not pick items from worklist #527
  • Unable to open directory from browser #525
  • Error calling make_dirs when a long URL is passed #521
  • [develop] plugin getting stuck stops the whole scan... #515
  • Getting error while running plugins. Error "Oops! Server replied: Bad Request" #481
  • The grep stats for header matche percent are incorrect #470
  • UI doesn't cope with multiple simultaneous tabs / actions? :P #455
  • CPU spikes: Lack of Indexing on OWTF db? #444
  • Bug - "Ops unable to add some targets” #443
  • BUG in “Testing For Ssl-Tls” plugin in latest Kali #442
  • Directory Brute-forcing should be towards the end of the scan #441
  • postgres “idle in transaction” processes occasionally spike CPU usage #438
  • Ocassional Crash after running skipfish #435
  • Occassional failure to close children processes #434
  • Target shuffling #433
  • Bug in MiTM proxy Cookie parser #428
  • Unreasonable use of CPU/memory by postgres / owtf processes #426
  • Nikto plugin not realising when nikto has finished #422
  • bootstrap.sh Fails while Installing in Kali #416
  • ValueError when OWTF is run without postgresql properly configured #414
  • OWTF should check if postgresql client is installed as well #413
  • Add target UI issue #405
  • OWTF-DV-004 semi passive no output #404
  • Transaction Logger Bug #403
  • Adding a Target Issue #402
  • [develop] User overriding the 2nd plugin of a test case to Passing won't update the test case #400
  • Create Zest Script Error #383
  • [develop] -f does not work #379
  • [develop] Can't run OWTF more than once against the same target #378
  • [develop] -e does not work when using the CLI #377
  • [develop] -t does not work with -o when using the CLI #376
  • [develop] OWTF should start NET plugins when target is an IP #375
  • ImportError: No module named backports.ssl_match_hostname #374
  • [develop] CLI listing plugins fails #366
  • [develop] Pressing 'n' when some tools were not found does not abort OWTF #365
  • [develop] TypeError when assigning a ranking #362
  • wrong permissions on /root/owtf/scripts/db_run.sh? #360
  • Recommended download method fails if bootstrap.sh exists #359
  • Arachni changed from --user-agent to --http-user-agent #347
  • Ensure running postgres before running install script #337
  • Proxychains command investigation #318
  • Workers can be set to Zero #306
  • The report has messy owtf commands with proxychains config #275
  • Bug in install script #259
  • Bug in bug reporter :P #228
  • multiprocessing deadlock #224
  • [lions_2014] Workers disappear sometimes. #223
  • MiTM proxy bug: Secure Connection Failed #222
  • Issues on execution flow UI: Command zombies and inability to stop individual commands #97
  • multiprocessing deadlock #93
  • Don't run internet resources against intranet sites #37

Closed issues:

  • PostgreSQL Fix in db_setup.sh out-dated? #667
  • list plugin command (-l) for auxiliary plugins not working #647
  • Fix run_tlssled.sh permission #645
  • Bug in progress bar #644
  • Dirbuster Plugin not working #642
  • Re-running plugin from GUI not working properly #639
  • keyboard Interrupt Exception Handling #637
  • Reflected XSS Vulnerability #613
  • File Redundancy #609
  • Verify distribution during installation #607
  • UI Add Targets button bug #605
  • Dependency checks , libraries Should be Installed Automatically. #604
  • Error 301 on fetching updates #603
  • Connection reset by peer - wget #592
  • Suppress apt-get confirmations #585
  • Initial Update #584
  • Db query filter should be updated according to current database #579
  • Installation problem on ubuntu #566
  • IDE specific auto-generated files need to be in gitignore. #562
  • README - GSoC 2016 wiki link broken #561
  • Added SVN-Extractor (issue #485) #550
  • Installation in Kali is not working correctly #544
  • Metagoofil missing in Kali 2.x #542
  • Should run aptitude update before trying to install any packages #540
  • Missing libraries #531
  • Pip Import Error Kali Install #520
  • OWTF develop branch install error in Kali Linux 2.0 #516
  • [develop] broken cookie parser #514
  • [develop] cannot launch any web plugins... #513
  • [develop] crash after install on latest kali: column test_groups.priority does not exist #512
  • owtf install on Kali2 fails - cryptography #509
  • Not giving alternative ips #506
  • Command Execution possible using '&' character in argument #503
  • url encoding not working on command line interface #499
  • Error in handling special characters in url #496
  • url check not working properly #494
  • "msfcli" no longer in metasploit #491
  • Installer fails on latest Kali (develop branch) #474
  • DNSpider will not download #471
  • Metasploit msfcli is deprecated. OWTF plugins should be updated. #469
  • Evaluate the use of extracting URIs from different file inputs #468
  • XSS reports on http://xssposed.org/ #465
  • multiple responsive web ui issues #463
  • Can you guys add feature to scan I2P sites? Eepsites. #461
  • Add Flashbang to OWTF #445
  • Modify run_w3af.sh so that buffer overflow tests are DISABLED #436
  • Clean-up the merged dictionary (duplicate entries) #432
  • Selected pagination setting is not remembered on home page #431
  • Remove websecurify #420
  • Display start time on the worker summary screen #419
  • Installation Issue #409
  • Add Targets more responsive #407
  • SSL Labs Upgrade with new API access #401
  • replace msfcli with msfconsole -x or -r #399
  • Lionhearted won't launch after install on Kali 1.09 #398
  • error on bootstrap #397
  • redisgned homepage #396
  • option -t not working on develop #390
  • Owtf not starting #385
  • Create docker container for OWTF #382
  • Owtf not working properly with latest version of pip #380
  • Show progress of scan #373
  • Selecting plugs-ins #372
  • Open links in a new tab #371
  • Settings > TOOLS #370
  • Fix permissions #368
  • DNSpider is called with arguments that include the URL scheme #364
  • bootstrap.sh checksum doesn't match download page #363
  • Web UI icons text pop-up (hovering over explanation) #361
  • "ImportError: No module named adapters" during install #357
  • [Auto-Generated] Minor issue: /bin/sh: 1: /home/valentino/frame/owtf/scripts/extract_urls.sh: Permission denied is not a valid URL and has been ignored, processing continues #353
  • [Auto-Generated] Plugin grep/Application_Configuration_Management@OWASP-CM-004.py failed for target http://some.target.com #351
  • python version to use? #346
  • db.cfg path error. #345
  • Installation fails on Kali Linux #344
  • Debug notes in Installation Script #340
  • Installation fails on Samurai WTF #339
  • improved sslscan #329
  • [Auto-Generated] ValueError: invalid literal for int() with base 10: '' #320
  • [Auto-Generated] Plugin active/HTTP_Methods_and_XST@OWASP-CM-008.py failed for target http://some.target.com #319
  • OWASP Top 10 Mapping #304
  • github.io AND interactive report top SCA tools by platform #303
  • Dependencies Update Option #300
  • [Auto-Generated] Plugin grep/Credentials_transport_over_an_encrypted_channel@OWASP-AT-001.py failed for target http://some.target.com #272
  • [Auto-Generated] Plugin active/Testing_for_SSL-TLS@OWASP-CM-001.py failed for target http://some.target.com #270
  • Current OWTF's cookies manager is broken #256
  • [Auto-Generated] Unknown owtf error #248
  • CWE compatibility #217
  • OWTF Demos redirects to 404 page. #206
  • OWTF Installation Improvement #192
  • PEP8 Pre-Commit Hook #191
  • Checking for Internal IP Disclosure vunerabilities #165
  • Evaluate the value of OWASP O-shaft and decide if is worth adding to OWTF or not #120
  • Investigate integration with Vivek's search engine #116
  • Mitigation boiler plate DB #91
  • Travis CI is still broken.. #82
  • Zest integration #49
  • Malego-like transforms for OWTF #35
  • would be nice some listings... #3

Merged pull requests:

Assets 2

@tunnelshade tunnelshade released this Oct 14, 2014

  • Fixed a major installation bug caused due to wrong handling of requirements by pip
Assets 2

@tunnelshade tunnelshade released this Oct 5, 2014

v1.0

Updated version name and added GSoC participants
Assets 2
You can’t perform that action at this time.