Friday, 6 January 2012

OWTF 0.10 "Berlin" released!

Background:
The Offensive (Web, etc) Testing Framework (aka owtf) is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp http://owtf.org

NOTE: I believe looking at the slides and demos prior to using this will help.
WARNING: This tool unites many great tools and their power, please hack responsibly and always have permission.


Please note that:
- My code always looks like garbage to me and I am not proud of this or anything I ever wrote (i.e. I always see problems/weaknesses in my code)
- So, owtf "kind of works" but this is an initial prototype and has definitely many weaknesses and bugs!
- Criticism will be welcome and constructive criticism will be welcome twice ;)

Some links:
- Direct download for this release (0.10 Berlin)
- Direct download for Demo interactive report (0.10 Berlin, Multi-URL working) <- only a browser needed for this (best with Firefox >= 8)
- Project change log
- Project page (ideas on what to do with this welcome)
- Github page
- Youtube project channel
- Please have a look at the readme files your question might have been answered ;)

Happy pwnage ;)

Contributions of any kind are welcome, some examples: Web design, CSS, JavaScript, python, external scripts, external tools, architecture review, criticism, approach, how tools are run, cool links missing, cool tools missing, etc! (i.e. absolutely anybody can help!)

The biggest limitations at the moment (in my opinion) are:
- Lack of inbound proxy: To be implemented
- Lack of threading: Not as bad as you might think in practice (underlying tools, specially the heavy ones, do use threading) but must be solved in the future. Threads by IP might be the best way to go but ideas are very welcome. The problem of implementing threading in a tool like this is to avoid crashing the pen tester's machine (I implemented a solution for this for my OSCP scripts which have not been ported to owtf yet, but will be in the future)