Monday, 24 September 2012

OWASP OWTF 0.15 "BruCon" released!

IMPORTANT: If you are attending the "Introducing OWTF" BruCon workshop on Wednesday please download the latest OWASP OWTF and latest DEMO Report. Thank you!

Another round of GIT hell has taught me a couple of things but finally, OWASP OWTF 0.15 is here for your entertainment!

OWTF 0.15 "BruCon" is dedicated with special love to BruCon, its organisers and attendants!

Usual background + Disclaimer:
OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp http://owtf.org
WARNING: This tool unites many great tools, websites, knowledge and their associated power, please hack responsibly and always have permission. That being said, happy pwnage :)

Some links:
- You will probably get the most out of this tool if you look at the Presentation Slides first.

Change log since OWTF 0.14 "London" (Full change log is here):
24/09/2012 - 0.15 "Brucon" pre-alpha release: Dedicated to Brucon (http://brucon.org), its organisers and attendants
+ Changed name to OWASP OWTF since this is an OWASP project now, thank you OWASP! - https://www.owasp.org/index.php/OWASP_OWTF
+ Bug fix: General clean-up of the bt5_install.sh script + OWTF's tool locations for a smoother install experience, thanks to Xavier Mertens (@xme) for reporting!
+ Bug fix: Removed Slowloris download code from bt5_install.sh script since redistribution was allowed by RSnake and it's packaged with OWASP OWTF
+ Bug fix: Commented out whatweb download from bt5_install.sh since the Backtrack version is now stable, default config also points to Backtrack path now
+ Bug fix: requester.py was referencing "Core.mError" which could sometimes result in the following error: "AttributeError: Core instance has no attribute 'mError'"
+ New feature: Instead of having to use our own nikto binaries, the OWTF's install script will now patch's nikto's poor default user agent (blocked by basic WAF blacklists)
+ Added to Sandro Gauci's Webapp Exploit Payloads to the following external plugins: XSS, CSRF and Cross Site Flashing
+ Added cross-site flashing link to get swfdump from www.swftools.org
+ Added external plugin link to bAdmin project (from whitehat) for default admin interfaces passwords
+ Added xss external plugin link to Gareth's Heyes HackVertor
+ Added xss external plugin link to Mario Heiderich's html5sec.org
+ Changed default UA to a more believable FF15
+ Added udl filetype to blanket google hacking searches (ica and rdp were already there), thanks to Chema Alonso (@chemaalonso)!
+ Added external cross-site flashing link to Adobe's SWFInvestigator
+ Added external xss link to Krzysztof Kotowicz's Chrome extension exploitation framework (XSS ChEF)
+ Added external xss link to Michal Zalewski's post-XSS ideas on XSS exploitation
+ Added external session management schema link to .NET VIEWSTATE vulnerabilities blog post
+ Added external SQLi plugin link to InfoSec Institute's SQLi Backdoor creation article
+ Added external file extension handling + SQLi link to contagiodump.blogspot.com's Collection of Web Backdoors & Shells
+ Added external file extension handling + SQLi link to Laudanum's Project for shells and utilities
+ Added external Bypassing Authentication Schema plugin link to OWASP's Password Storage Cheat Sheet
+ Added external Clickjacking plugin link to OWASP's ClickJacking article
+ Added external Bypassing Authorisation Schema link to OWASP's Access Control Cheat Sheet
+ Added external plugin link to bAdmin project (from whitehat) for default or guessable user accounts plugin
+ Added external plugin link to OWASP's XSS Filter Evasion Cheat Sheet
+ Added external plugin link to OWASP's XSS Prevention Cheat Sheet
+ Added external plugin link to OWASP's DOM XSS Prevention Cheat Sheet
+ Added external plugin link to OWASP's Web Service Security Cheat Sheet
+ Added external plugin link to OWASP's Transport Layer Protection Cheat Sheet
+ Added external plugin link to OWASP's SQL Injection Prevention Cheat Sheet
+ Added external plugin link to OWASP's Query Parameterization Cheat Sheet (complements SQLi cheat sheet)
+ Added external plugin link to OWASP's Session Management Cheat Sheet
+ Added external plugin link to OWASP's Logging Cheat Sheet
+ Added external plugin link to OWASP's JAAS Authentication Cheat Sheet
+ Added external plugin link to OWASP's Forgot Password Cheat Sheet
+ Added external plugin link to OWASP's Cryptographic Storage Cheat Sheet
+ Added external plugin link to OWASP's Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
+ Added external plugin link to OWASP's Choosing and Using Security Questions Cheat Sheet
+ Added external plugin link to OWASP's Authentication Cheat Sheet

No comments:

Post a Comment