Tuesday, 10 April 2012

OWTF 0.13b "HackPra" released!

This is a stability release fixing a number of issues I encountered as I was preparing my demos -1h :)- for HackPra tomorrow. I will try to explain this weird tool a bit better and look forward to your feedback :).

OWTF 0.13b "HackPra" is dedicated with special love to HackPra, its organisers and attendants!
NOTE: Since we are no longer in the middle ages I have assumed that nobody will have problems with number "13" :).

Usual background + Disclaimer:
The Offensive (Web, etc) Testing Framework (aka OWTF) is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp http://owtf.org
WARNING: This tool unites many great tools, websites, knowledge and their associated power, please hack responsibly and always have permission. That being said, happy pwnage :)

Some links:
- Project page: http://owtf.org
- You will probably get the most out of this tool if you look at the Presentation Slides first.
- Demo interactive reports (Firefox >= 8): https://github.com/7a/owtf/tree/master/demos

Change log since OWTF 0.13 "Trooper" (Full change log is here):
10/04/2012 - 0.13b "HackPra" pre-alpha release: Dedicated to HackPra, its organisers and attendants
 + Inclusion of slowloris, thanks to RSNake for allowing redistribution!
 + More indentation clean up in various files
 + Fixed bug on DeriveURLSettings: Thanks to Sandro Gauci for reporting!
   The home-brew parsing was resulting in an error like below with URLs like http://example.com:81
   "Aborted by Framework: Cannot resolve Hostname: example.com:81"
   URL parsing is now done via the urlparse library
 + Fixed bug introduced in the fix above whereby urlparse was returning "None" for the port in the summary report:
   Reintroduced scheme check to handle this case and ensure the port is never blank regardless of URL format
 + Fixed bug similar to the one in DeriveURLSettings on the OWTF Core:
   IsInScopeURL was parsing the hostname from the URL in a home-brew fashion this worked ok most of the time
   but in some cases could lead to bugs, core.py is now using urlparse for parsing the hostname from the URL
 + Added regression test shell scripts to tests directory