owtf: Offensive Web Testing Framework – Penetration Testing

OWASP OWTF is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST so that pentesters will have more time to

See the big picture and think out of the box

More efficiently find, verify and combine vulnerabilities

Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions

Perform more tactical/targeted fuzzing on seemingly risky areas

Demonstrate true impact despite the short timeframes we are typically given to test.

The tool is highly configurable and anybody can trivially create simple plugins or add new tests in the configuration files without having any development experience.

Features

Resilience: If one tool crashes OWTF, will move on to the next tool/test, saving the partial output of the tool until it crashed. OWTF also allow you to monitor worker processes and estimated plugin runtimes.

Flexibile: If your internet connectivity or the target host goes down during an assessment, you can pause the relevant worker processes and resume them later avoiding losing data to little as possible.

Tests Separation: OWTF separates its traffic to the target into mainly 3 types of plugins:

Passive : No traffic goes to the target

Semi Passive : Normal traffic to target

Active: Direct vulnerability probing

Some features like the passive and semi_passive test separation may also assist pen testers wishing to go the extra mile to get a head start and maybe even legitimately start report writing or preparing attacks before they are given the green light to test.

ReST API: OWTF uses PostgreSQL as the database backend. All core OWTF functions and options are exposed through a ReST API making it easy to add new features with little effort.

Follows popular pen-testing standards:

OWTF will try to classify the findings as closely as possible to the OWASP Testing Guide. It also supports the NIST and the PTES standards.

PlugnHack v2 support : PlugnHack is a proposed standard from the Mozilla security team for defining how security tools can interact with browsers in a more useful and usable way.

Zest and OWASP-ZAP integration : Zest is an experimental specialized scripting language (domain-specific ) developed by the Mozilla security team and is intended to be used in web oriented security tools.

Responsive web interface: OWTF now has a default web interface which integrates all core OWTF options and makes it possible to manage large pentests easily.

Interactive report updated on the fly:

Automated plugin rankings from the tool output, fully configurable by the user.

Configurable risk rankings

In-line notes editor for each plugin.

Installation

Linux:
wget -N http://ift.tt/2ctpTqY; bash bootstrap.sh
or
git clone http://ift.tt/1mX2wHh; cd owtf/; python2 install/install.py

Windows/MacOS:
Requirement: docker
docker build -t owtf-dev .

docker run -it -p 8009:8009 -p 8008:8008 -p 8010:8010 -v ~/http://path_to_OWTF_on_host:/owtf owtf-dev /bin/bash

Source: Github

The post owtf: Offensive Web Testing Framework appeared first on Penetration Testing.

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s