OWASP OWTF 1.0.1 - Offensive Web Testing Framework

Saturday, October 25, 2014


OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient.OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient. 

OWTF aims to make pen testing:
  • Aligned with OWASP Testing Guide + PTES + NIST
  • More efficient
  • More comprehensive
  • More creative and fun (minimise un-creative work)
so that pentesters will have more time to
  • See the big picture and think out of the box
  • More efficiently find, verify and combine vulnerabilities
  • Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions
  • Perform more tactical/targeted fuzzing on seemingly risky areas
  • Demonstrate true impact despite the short timeframes we are typically given to test.
The tool is highly configurable and anybody can trivially create simple plugins or add new tests in the configuration files without having any development experience.

Features

OWTF uses "Scumbag spidering", ie. instead of implementing yet another spider (a hard job), OWTF will scrub the output of all tools/plugins run to gather as many URLs as possible.
This is somewhat "cheating" but tremendously effective since it combines the results of different tools, including several tools that perform brute forcing of files and directories.
Resilience
If one tool crashes OWTF, will move on to the next tool/test, saving the partial output of the tool until it crashed. OWTF also allow you to monitor worker processes and estimated plugin runtimes.
Flexibilty

If your internet connectivity or the target host goes down during an assessment, you can pause the relevant worker processes and resume them later avoiding losing data to little as possible.




Subscribe via e-mail for updates!