Thursday, 9 February 2012

OWTF 0.12 "Wicky" released!

Usual background + Disclaimer:
The Offensive (Web, etc) Testing Framework (aka OWTF) is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp
WARNING: This tool unites many great tools, websites, knowledge and their associated power, please hack responsibly and always have permission. That being said, happy pwnage :)

OWTF 0.12 "Wicky" is dedicated to @marcwickenden for being always there when I needed help and being the first person to contribute to OWTF with code! (1st pull request with IPv6 support). Thank you!

Thank you to Arron, Gavin, Tom and the other members of the Finux Tech Weekly podcast for their kind words and OWTF mention on Episode 12 (MP3, OGG. Around minute 33 if you are interested). 
This is a UK-based InfoSec podcast I enjoy: With love from this little blog ... keep rocking lads! :)

Screenshots (click for a bigger picture) for some of the new features:
- CKEditor integration: Allows to paste screenshots, have links, etc in your review (which can still be imported + exported as text to any browser, of course ;)). A preview is always shown on top of the editor, sometimes the last character you type could be missed depending on how you close the editor but you will be fine as long as you see the text in the preview window. Your help is welcome :).

- This release includes the HTML filter (can you hack it? come on! ;)): OWTF will also sandbox the untrusted content in a separate directory -localStorage is not accessible from another dir in FF- just in case you could run JavaScript after bypassing the HTML filter + bypass the iframe sandbox somehow:

- The Summary report filter is finally working: It shows the number of matches in the target icon 
and triggers the same action on all children reports + resizes them appropriately so that you can see an overview of the search findings.

- All reports have a wrench icon    that allows you to narrow the review down to what you care about (like the Review tab, the wrench settings are global but shown on each report for your convenience). Do you have 100 URLs and want to look at cross site flashing first? this icon is for you :). It might also be handy to remove the "external" plugins in the first quick look (external plugins are meant for manual exploitation / assistance)
NOTE: The icons always show the totals, and the target icon  shows you the matches for your search.
This will make sense as you start using the wrench and the target icon indicates a different number than the filter :).

- You can disable the filter at any time by using the red cross:        
The summary also collapses all the children reports in one click this way
 - You can now also click on the magic bar at any time to switch from "Review Mode" into (an initial, rudimentary, i.e. your help is welcome :)) "Report Mode" where all your notes, screenshots, etc are organised in a more copy-pasteable way (to assist your reporting):

Some links:
- Project page:
- You will probably get the most out of this tool if you look at the Presentation Slides first.
- Demo interactive reports (Firefox >= 8):

Change log since OWTF 0.11 "Vienna" (Full change log is here):

10/02/2012 - 0.12 "Wicky" pre-alpha release: Dedicated to @marcwickenden for sending the first pull request!
 + Merged pull request with IPv6 support and proper IP validation from @marcwickenden thanks!
 + Added graceful framework abort when a hostname cannot be resolved (instead of python trace mess)
 + Added Hurricane Electric passive recon link to discovery plugin (Thanks to Chris John Riley)
 + Bug fix in and to set a Start, RunTime and End date for external plugins that have been already run but require to be registered against a target to report display purposes. Only happened in separate iterations.
 + Added a Sanitiser module to solve the "embedding untrusted HTML" issue, when POST is the only way to query a third party site. The filter is public and you are encouraged to break it :). An improved filter will be published shortly after each new public bypass.
   - Thank you very much to everybody that took the time to try to break the HTML filter!
   - Congratulations + props to the successful breakers before this release: Mario Heiderich, @notracecc, @dreyercito
   - If you did not try to break the filter, what are you waiting for? :)
   - The challenge will run indefinitely and is available here:
 + Clean-up of passive robots.txt plugin to sanitise embedded HTML (via module above) + move this to an external file
 + clean-up for flexibility, readability and code reuse around transparent filtering and sandboxing of embedded third-party HTML (related to above)
 + When embedding HTML from a third party site OWTF will:
     1) Filter the HTML using the Sanitiser module above
     2) Save the filtered output to a file
     3) Create a separate file that embeds the filtered output inside a sanboxed iframe (just in case an unpublished bypass whatever ;))
     4) The OWTF report provides a link to the sanboxed file only
     5) Both the sandboxed + non-sandboxed files are saved to another directory = they cannot access HTML 5 localstorage (where your review is), at least in Firefox 8
 + Fixed minor but annoying bug whereby the filter was not showing up when the detailed report was collapsed, so detailed report totals were not being shown
 + Added a more links to assist manual XSS exploitation:,,
 + Integration with CKEditor (
   1) Notes now have a full blown WYSIWYG editor -their permissive licensing allows redistribution, thank you!-
   2) Above means you can now take notes with fancy formatting: tables, links, bullet points, font format, size, style, etc (useful for exploit/PoC links, etc)
   3) The OWTF review works as usual but the notes are now saved with their formatting (HTML instead of plain text)
   4) OWTF will show an automated preview on top of the editor, this is always displayed, which makes it more intuitive to see if there are notes present for a plugin
   5) OWTF will also automatically save these formatted notes in the review for resilience: Even if your browser crashes or is closed by mistake you keep what you typed
   6) The OWTF notes preview also modify links so that they are displayed on a new tab (most useful option and consistent with other links in the report)
   7) OWTF will create/destroy CKEditor instances as follows: 1st lightbulb click: create, 2nd click: destroy = report is more lightweight, loads faster, etc
   8) OWTF will destroy all plugin editors when a new one is created: This ensures only resources for a single editor are used at any point in time (report = lightweight)
 + Bug fix: Changing the detailed report iframe size via onload event was messy: Now the iframe is created directly using the initial height defined on: COLLAPSED_REPORT_SIZE
 + Enhancement: Added new review icons to be able to flag certain special cases. Icons can be removed on: profiles/general/default.cfg
   1) LadyBug: Flag functional and/or business logic bugs (it's up to you how you interpret this, as usual)
   2) Empty Star: To flag you had a brief look (already saw it) but no real analysis was done
   3) Half Star: To flag you had an initial look but need to investigate more to be able to rate the output
 + Created an initial help file that is linked to from the OWTF report via question mark icons
 + Some clean-up around review icons code in the report a bit less messy now :P
 + Plugin Review Icons are now highlighted like filters when the user clicks on them as well as when the report loads: More intuitive
 + Multiple bug fixes around Import/Export Review from Summary report (Import was not working at all and other similar problems)
 + Multiple space and colour optimisations in the report
 + An initial Summary Report filter has been implemented, this triggers the same filter on all children iframes, resizing them, etc
 + Added unit tests to allow more efficient testing of the Sanitiser module (i.e. test quickly all previous bypasses against new filter)
 + Made the Sanitiser module a bit smarter so that:
     1) It can be called from the framework: When this happens no tests are run, but all functionality is callable by the framework
     2) It can be called from the commandline: When this happens the Sanitiser expects HTML on stdin (i.e. cat input.txt |
     NOTE: I noticed it was handier to read from stdin (instead of a hard-coded file) so that I can regression test new filters faster
 + Significant report memory usage improvements (single review object shared for all reports, it was num_targets x review + 1 before)
 + Significant report performance improvements:
     1) When the report loads for the first time, counters and colours are calculated and stored in localstorage
     2) Counters will only be updated when the user rates plugins from then on
     3) When the report loads again counters are not calculated (as previously= this was slow), instead they are read from localStorage
 + Lots of small report tweaks to improve navigability, general usability and appearance
 + Added rudimentary reporting functionality via magic bar: Builds a basic report for ease of copy-paste in your reporting
 + Refactored owtf.js into smaller files: owtf_general.js, owtf_review.js, owtf_filter.js and owtf_reporting.js
 + Reorganised dictionaries and tools into "restricted" (i.e. licensing) directories so that they are not committed by mistake to github