OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.
The purpose of this tool is to automate the manual and uncreative parts of pen testing. For example, Figuring out how to call “tool X” then parsing results of “tool X” manually to feed “tool Y” and so on is time consuming.
By reducing this burden we hope pen testers will have more time to:
- See the big picture and think out of the box,
- Find, verify and combine vulnerabilities efficiently,
- Have time to Investigate complex vulnerabilities like business logic, architectural flaws, virtual hosting sessions, etc.
- Perform more tactical/targeted fuzzing on seemingly risky areas
- Demonstrate true impact despite the short time-frames we are typically given to test.
This tool is however not a silver bullet and will only be as good as the person using it. Understanding and experience will be required to correctly interpret the tool output and decide what to investigate further in order to demonstrate the impact.
- Web UI. Now configure and monitor OWTF via a responsive and powerful interface accessible via your browser.
- Exposes RESTful APIs to all core OWTF capabilties.
- Instead of implementing yet another spider (a hard job), OWTF will scrub the output of all tools/plugins run to gather as many URLs as possible.
- Scan by various aggression levels: OWTF supports scans which are based on the aggressiveness of the plugins/tools invoked.
- Extensible OWTF manages tools through ‘plugins’ making it trivial to add new tools.
- OWTF has been developed keeping Kali Linux in mind, but it also supports other pentesting distros such as Samurai-WTF, etc.
- Tool paths and configuration can be easily modified in the web interface.
- Fastest Python MiTM proxy yet!
- Crash reporting directly to Github issue tracker
- Comprehensive interactive report at end of each scan
- Easy plugin-based system; currently 100+ plugins!
- CLI and web interface
You can download OWASP OWTF here:
wget -N https://raw.githubusercontent.com/owtf/bootstrap-script/master/bootstrap.sh; bash bootstrap.sh
Or read more here.