Thursday, 25 September 2014

OWTF 1.0 "Lionheart" to be presented @Brucon

Why wait? Download OWTF 1.0 "Lionheart" now! ;)

Just a quick note that the OWTF Crew will be presenting part of what is coming on OWTF 1.0 "Lionheart" during the Brucon 5x5 presentations:

When: Friday September 26, 2014 13:00 - 15:00 
Where: 5 La Trappe (Novotel Ghent) - Brucon, Ghent, Belgium, Europe :)

OWTF talks
Enjoy! :)

Saturday, 13 September 2014

OWTF 1.0 "Lionheart": Call for testers + GSoC Poll

Call for testers

OWTF 1.0 "Lionheart" is inminent, PLEASE help us:
1) Testing the bleeding edge branch here:
2) Reporting bugs here: 

-other options: tutorials, demos, documentation, ideas, suggestions, bug fixes and any other form of contribution you can think of :)-

How to get started:

OWASP OWTF GSoC 2014 Student participation poll

In a similar fashion to what we did last year, in the scientific spirit of “observe and record” a poll was run among GSoC participants that submitted or showed interest to participate in the GSoC for OWASP OWTF.

Poll format

The poll was based on the following questions:

CASE 1) IF you submitted something for OWTF this year, could you please
answer the following question?

What made you submit a proposal for OWASP OWTF? (i.e. as opposed to
other OWASP projects and/or organisations)

CASE 2) IF you decided *NOT* to submit for OWTF this year, could you
please answer the following question?

What made you NOT submit a proposal for OWASP OWTF?
Poll answers - CASE 1) Students who submitted

NOTE: I have only redacted what could identify the student and/or project.

Student 1 - OWTF is written in Python, which is a one of prog. languages I love and is all about Infosec. OWTF is all about automating boring, but rewarding work in pentesting. Lastly, there is heavy active development in the project compared to others.

Student 2 - I have successfully submitted a Proposal to OWASP OWTF *only* because of your support. Initially when I contacted you, I was thinking that I am too late to do a GSoC. My primary aim was to do a *good project* under a really helpful *Mentor* so that I can increase my skills under his guidance. Luckily for me, I got a chance to talk with you and I must say that made a significant difference. After started talking to you, within a week, I was confident that I can do a GSoC (or at-least a good project) with you. That motivated me to submit a proposal for OWTF. -redacted-. Thank you so much for helping me out.

Also even if I didn't get into GSoC, I am planning to complete the project which I have started. I am hoping to start working on it from -redacted-. I love to work, with you as my mentor. Also, I need your valuable suggestion on my project -redacted- so that I can make it a good project (since you are very experienced, I hope you can give some tips).

As tunnelshade said : *You are a project leader which every project must have ;)  *. That's one statement I completely agree.

Student 3 - Because I am familiar with OWTF, and its because a raising project that seems have a brilliant future

Student 4 - Case 1) I submitted to OWASP OWTF because I met my interests: a project related to security, networking, Python or C language. I saw OWASP ZAP 2 or 3 days before OWTF, I was impressed, that an open source project has such great success and is used by a lot of pen-testers, security specialists, programmers. So, I decided to search more about OWASP and its projects, this way I found OWTF and an important step to begin working on proposal was fast and clear response from Abraham Aranguren, thank you Abraham! Before my research for proposal, I knew basic concepts about proxy servers, present technologies in information security, thus OWTF project became an incentive to study more about. Thank you very much OWASP team, for all that you are doing!

Student 5 - What made me submit a proposal was that the project aligned with my skills and helped me grow. Plus the mentors were more supportive than any other org I had interacted with :)

Student 6 - I submitted a project proposal for OWTF because I have been part of OWTF from last -redacted- and my major aim from the beginning was to pick one project (and it was OWTF) and work for it.Honestly, initially when I decided working on OWTF, it was completely a random decision . I just wanted a project in python with few contributors. I asked around, in OWASP mailing list, and gradually Samantha and Fabio suggested me this one. And there I came in contact with Abraham Aranguren, that was the most amazing thing that happened to me. His continuous guidance, motivation and quick responses made me stick with the OWTF project.
I am glad I made that choice :)

Student 7 - Well, I guess this is not the right time for me to answer this question. But to be honest, the reply that I got from you(Compared to other OWASP mentors) after I dropped my first mail in the OWASP mailing list was my motivation to submit proposal to OWTF. Though there are a lot to tell, lot to work on and a way to go but still...

Student 8 - I have a passion for security ever since I have been into it. I started working more on it when I joined my college for undergraduate course. Since then, I have had a good platform to do more research on it. I started playing CTFs as member of team -redacted-. I have great interest in web application security and reverse engineering obfuscated codes.

What I always wanted when I played CTFs was task automation, especially in attack-defence ( service based ) CTFs involving real-time attacks. Python was the best language I found for this, which has heavy modules support (including third party) and, simplicity and efficiency in data handling. I use it for automating blob vulnerabilities over the network against all insecure opponents.

I also wanted to do work on a security project and I believe that doing GSoC would be the best immediate way to actively work on an existing project. In the long run, I would like to keep contributing to Open Source projects outside GSoC too.

Taking all these into consideration, OWTF turned out to be the security project I want to work on. This could be the chance of working on a big Open Source Project. When I started working on it, I came to know more technical details and got really interested and confidant. This motivated me in totally focusing totally on OWASP OWTF.

The mentors in this project are sincerely motivating us at every stage and are happy to help. I am sure that they will be a great source of motivation for all those who work with them.

I am doing GSoC just for gaining experience, it is definitely going to amp up my skills and confidence. But my long term intention is to work on the project beyond GSoC and be a part of it for long enough. And I am interested in this project.
If at all I would have not chosen to work on OWTF, it would be just because I was not lucky enough to notice how relevant this project is to what I do.

Student 9 - Before the GSoC organizations list was released, I was thinking about applying
for a HoneyNet project. When I learned that, this year, this organization was
not selected, I changed my plan.
First of all, I have downloaded the GSoC organizations list and searched for
the Python and security keywords.
Why these keywords? Well, I have been using the Python language for a couple of
years now and it is the language, along with the C one, that I feel the more
confident about. Then security because I am fond of security since a long time
After applying the filter, several organizations appeared.
Among them, the TOR foundation and the OWASP organization. While looking at
the two organizations’ projects list, I found OWTF, which gathered both
Furthermore, I have spent the last six months working in the security service
of -redacted- where I discovered what the work of pentesters was
about. I have learned about the deadlines during which the pentesters had to
accomplish their work and I was surprised about how short they were.
As a conclusion, I have found a great interest in the OWTF which aims to
accomplish the information gathering step that pentesters have to accomplish
before doing further investigations. That way, the pentesters will be more
efficient while doing their work.
All together, I have contacted the mentor of the OWASP OWTF project, Abraham
Aranguren, in order to get started on the project.
In order to sum up my answer, I have applied to work on the OWASP OWTF project
  • It is written in Python
  • It is about security
  • It aims to solve a problem I feel concerned about
PS: I am not sure if it is related but the project name if OWTF like “Oh WTF!”,
which sounds awesome!

Student 10 - I have submit a proposal to OWTF because of the following reasons:
- I Like this project.
- I had contribute to OWTF in the past and this makes me to like this project even more.
- The community R0cKs!
- I am using this program in my work (internship), so I want to help to make it even better.

I didn't choose another project from OWASP because I am not as familiar as OWTF and also i wanted to focus 100% to one project for higher chances of acceptance.

Poll answers - CASE 2) Students who did NOT submit

NOTE: I have only redacted what could identify the student and/or project.

Student 1 - I'm on the second case. I couldn't submit a proposal this year because I didn't have time to write it (because of studies, work, etc.) and I won't be able to work in a GSoC project during the summer. Despite of that, I found you emails really encouraging, and I think it is a good way of motivating the GSoC candidates, so keep doing it.

Student 2 - I decided not to submit for OWTF this year. I had initially chosen 3 organizations to submit a gsoc proposal (OWTF being one of them). But due to shortage of time, I decided to focus on only 1, to increase my chances of getting selected.

Student 3 - well i was very interested to learn pentesting but there are many resources on internet for learning(actually confusing) but owtf combines the best tools so obviously we are going to learn the best ones and gives us a chance to  excel in this field without wasting time  and it is written in PYTHON

Student 4 - Sorry I wasn't able to submit! For your poll, I am definitely a case 2 - I got other offers for work over the summer and decided I wanted to spend my time working for a company this summer instead of doing GSoC. I would still like to contribute to OWTF however! If no one picks up the boilerplate/scripting project for GSoC, is there any way I can still work on it? The topic still really interests me, and I would love to put work into on my own time if I can. Let me know what you think! :)

Student 5 - I am part of case 2 where I couldn't submit the proposal for OWASP OWTF this year. I was determined to submit my proposal but due to lack of time since I am new and got to know about the program late, I couldn't submit the proposal. I thank you for helping me out and supporting me even in the 11 th hour which most wouldn't have done.

Thursday, 4 September 2014

Get credits, help OWASP, meet OWASP Winter Code Sprint, plz RT!

NOTE: OWTF 1.0 "Lionheart" is inminent, please help us checking the bleeding edge branch here and reporting bugs here.

There is an awesome OWASP initiative this winter called OWASP Winter Code Sprint (OWCS).

In essence, if you are a university student this lets you to contribute to a participating OWASP project in exchange for university credits and other perks.

The full list of participating OWASP projects and ideas can be found here.

Important deadlines:
  • September 15th: 1st deadline
  • October 15th: 2nd deadline
Please have a look at the OWCS page for more information and apply for your favourite project today! :).

If any of the following seem interesting to you, please contact me ASAP on -minor thinking required ;)-

Friday, 25 July 2014

XXE Exposed Webinar Recording and Slides

In case someone is interested, I had the pleasure of giving a Webinar for eLearnSecurity on Tuesday this week:

  • Webinar Title: "XXE Exposed"
  • Summary:
Brief coverage of Web Service Types, SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation.Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing

          NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25 

Monday, 24 March 2014

OWASP GSoC: call for mentors/co-mentors plz RT!

OWASP received 88 proposals this year, but needs 50+ more mentors or some amazing students will be lost this year in the GSoC 2014, please don't let this happen, here is what you can do:

Case 1) Mentoring for OWASP projects that are not OWTF
If you are interested in mentoring/co-mentoring OWASP projects that are NOT OWTF:
Step 1) Decide what OWASP project to mentor from here:

Step 2) Contact Samantha (samantha.groves at or Kostas (konstantinos at ASAP!
More info:

Case 2) Mentoring for OWASP OWTF 
If you are interested in mentoring/co-mentoring for OWASP OWTF, here is the background:
Step 1) Choose one of the projects below

Step 2) Please contact me ASAP: -Minor thinking required ;)-

All the top OWASP OWTF candidates are already contributors and/or technically very strong, have solid plans, have a deep understanding of their projects (all of which were carefully discussed and reviewed by the team for feasibility in advance), and mentoring needs will be minimal (i.e. they know what to do).

At this point, we don't know slots or final ranking, but the projects/ideas that we believe that have a solid candidate to stand a chance (if the planets and other things align) are as follows:
What do you need to be an OWTF mentor?
  • Must have: 1 x email address @any_domain (i.e.,, etc.)
As stated earlier, OWTF top candidates are very unlikely to bother you with things like "I'm stuck", they are all contributors and/or technically very strong. Mentoring needs are very low, but some of the following would be nice: Infosec OR Python OR JavaScript OR Zest OR Plug-n-Hack knowledge.

Friday, 28 February 2014

Get paid, help OWASP, GSoC 2014 ideas UPDATED, plz RT

Yes folks, it is that awesome time of the year when Google rocks the open source world with their awesome Google Summer of Code again!

This is a quick blog post to let you know that the OWASP OWTF GSoC 2014 ideas have just been updated, there are a few more ideas and most of the existing ones have been improved!
Interested in OWTF? contact me NOW! :)
WARNING: minor thinking required to break this pseudo-CAPTCHA! ;)

Not interested in OWTF? check other OWASP projects!
(lots of ideas this year!)

Monday, 13 January 2014

OWTF 0.45.0 "Winter Blizzard" released! plz RT!

OWASP OWTF is always looking for contributors, feedback and new ideas. If you find a bug or have an idea about what OWTF could do, please tell us in our github issue tracker. Thank you!

This is another a very significant release which includes the continued outstanding work of:

  1. The 4 x OWASP OWTF GSoC 2013 projects -including post-GSoC improvements- (Sponsored by Google. Thank you!)
  2. Marios Kourtesis's OWASP OWTF botnet mode project (Sponsored by BruCon. Thank you!)

OWASP OWTF GSoC 2014 projects

OWASP OWTF - INBOUND PROXY WITH MiTM & CACHING CAPABILITIES by Bharadwaj Machiraju (Dedicated Mentor: Krzysztof Kotowicz, Co-Mentors: Javier Marcos de Prado, Martin Johns, Abraham Aranguren)

OWASP OWTF - Multiprocessing  by Ankush Jindal (Dedicated Mentor: Andrés Riancho, Co-Mentor: Abraham Aranguren)

OWASP OWTF - Reporting by Assem Chelli (Dedicated Mentor: Gareth Heyes, Co-Mentors: Johanna Curiel, Azeddine Islam Mennouchi, Hani Benhabiles, Abraham Aranguren)

OWASP OWTF - Unit Test Framework by Alessandro Fanio González (Dedicated Mentor: Andrés Morales, Co-Mentor: Abraham Aranguren)

Usual background + Disclaimer

OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp
WARNING: This tool unites many great tools, websites, knowledge and their associated power, please hack responsibly and always have permission. That being said, happy pwnage :)

Some links:
- Project page
- You will probably get the most out of this tool if you look at the Presentation Slides first.
- Download the bleeding edge version of OWTF
- Download the latest stable version of OWTF
- Subscribe to the OWTF mailing list
- We're also on #owtf within freenode (IRC)

OWTF would just not be possible without all the people that contributed in one way or another. To all of you: Thank you!

Release Notes

Change log since OWTF 0.30 "Summer Storm II" (Full change log is here):

14/01/2014 - 0.45.0 "Winter Blizzard" alpha release: Dedicated to Alessandro Fanio Gonzalez (@alessandrofg), Ankush Jindal (@ankushjindal278), Assem Chelli (@assem-ch), Bharadwaj Machiraju (@tunnelshade), Marios Kourtesis (@marioskourtesis) & their mentors: Andrés Morales, Andrés Riancho, Gareth Heyes, Krzysztof Kotowicz, and their co-mentors: Abraham Aranguren, Azeddine Islam Mennouchi, Hani Benhabiles, Javier Marcos de Prado, Johanna Curiel, Martin Johns.

Features :

  • OWTF can now be updated using a command line flag <=> Bharadwaj Machiraju (@tunnelshade)
  • Few tools are proxified through OWTF inbound proxy <=> Bharadwaj Machiraju (@tunnelshade)
  • Httprint signatures updated (still updating) <=> Azeddine Islam Mennouchi
  • Plug-n-Hack Phase I implemented in OWTF <=> Bharadwaj Machiraju (@tunnelshade)
  • Travis CI service is under usage for tests <=> Alessandro Fanio Gonzalez (@alessandrofg)
  • OWTF Inbound proxy is made capable of websocket traffic proxying <=> Bharadwaj Machiraju (@tunnelshade)
  • HTTP AUTH support is implemented in OWTF Inbound proxy <=> Bharadwaj Machiraju (@tunnelshade)
  • User can run multiple instances of OWTF <=> Bharadwaj Machiraju (@tunnelshade)
  • Outbound socks proxy support implemented <=> Marios Kourtesis (@marioskourtesis)
  • Added nmap to WAF checks <=> Abraham Aranguren (@7a_)
  • Tor mode added to OWTF <=> Marios Kourtesis (@marioskourtesis)
  • New Installation procedure added to OWTF <=> Bharadwaj Machiraju (@tunnelshade)

Enhancements :

  • Spiders, Robots and Crawlers grep plugin added <=> Bharadwaj Machiraju (@tunnelshade)
  • Web Services passive discovery plugin improved <=> Bharadwaj Machiraju (@tunnelshade)
  • Added and fixed some tests for plugins <=> Alessandro Fanio Gonzalez (@alessandrofg)
  • 40+ Bug fixes

Wednesday, 11 December 2013


Please contribute:
We are trying to release the new version of OWTF in the next few weeks (hopefully before 2014!). For that, we need your help to identify and report bugs. THANK YOU! :)

I would like to let you know that, after a careful deliberation, the OWASP OWTF CFP Panel, selected the following projects for access to the available OWASP OWTF funds:

  • Alessandro Fanio González: OWTF Architectural improvements
  • Marios kourtesis: OWTF Botnet mode
  • Assem Chelli: OWTF Reporting improvements

Background on the decision process
I tried to be as neutral as possible due to the unavoidable conflict of interest issue:
Being friends with some of the people who submitted due to 3 months+ working together during the GSoC vs. those that were not. Thankfully, a panel of volunteers stepped up to solve this problem and chose (wisely in my opinion) the best projects given the limited money available. Thank you! -you know who you are ;)-