Create new plugins

Viyat Bhalodia edited this page Aug 16, 2014 · 6 revisions
Clone this wiki locally

Creating new plugins

Let's say you want to create a new plugin for a scanner that does is not supported by OWTF yet, for example, Skipfish.

Step 1) Tell OWTF where skipfish is.

For Kali: Modify profiles/general/default.cfg adding the following line close to other scanners (i.e. Arachni, etc): TOOL_SKIPFISH_DIR: /pentest/web/skipfish

Step 2) Tell OWTF how to run skipfish.

For Kali: Modify profiles/resources/default.cfg adding the following line close to other scanners (i.e. Arachni, etc)

NOTE: Obviously personal preference applies here, suggestions welcome :)

SkipfishUnauth_Skipfish__touch new_dict.wl ; cd @@@TOOL_SKIPFISH_DIR@@@ ; ./skipfish -t 90 -i 90 -w 90 -f1000 -b f -o ###PLUGIN_OUTPUT_DIR###/skipfish_report -S /pentest/web/skipfish/dictionaries/minimal.wl -W ###PLUGIN_OUTPUT_DIR###/new_dict.wl @@@TARGET_URL@@@

Step 3) Create a Skipfish plugin (this allows more control, i.e. -o Skipfish_Unauthenticated target_url)

Create a new active plugin in plugins/web/active and call it "", make the code as follows:

    DESCRIPTION = "Active Vulnerability Scanning without credentials via Skipfish"
    def run(Core, PluginInfo):
        return Core.PluginHelper.DrawCommandDump('Test Command', 'Output', Core.Config.GetResources('Skipfish_Unauth'), PluginInfo, "")`

Step 4) Make OWTF run Skipfish by default

Modify profiles/web_plugin_order/default.cfg so that it also contains the following line: active/

After doing all this you can do: -o Skipfish_Unauthenticated

NOTE: If you Control + C, OWTF does not exit cleanly yet, I will try to figure out why this happens but the Skipfish report is saved fine in disk