Sunday, 25 August 2013

AppSec EU: OWASP OWTF Summer Storm slides, demos and Plug-n-Hack support!

UPDATE 04/09/2013: Added link to AppSec EU video
UPDATE 26/08/2013: Added Plug-n-Hack support link.

OWASP AppSec EU 2013 and HackPra AllStars were both a blast this week:

I would like to use this opportunity to let you know that:
  1. OWASP OWTF is always actively looking for contributors, bug reports / ideas.
  2. The slides for the OWASP OWTF Summer Storm talks last week are now online here.
  3. OWASP OWTF supports the Plug-n-Hack mozilla standard now.

The demos, research and prototypes are all linked from the relevant slides within the presentation above.

NOTE: You can now see the OWASP OWTF Summer Storm AppSec EU video here.
NOTE 2: All AppSec EU + HackPra AllStarts video is here!.

The slides were used at OWASP AppSec EU in:

You can find members of the OWTF team on our:

Monday, 12 August 2013

OWTF 0.30 "Summer Storm II" released! plz RT!

IMPORTANT NOTE: Some of the new features require the use of the "--dev" flag, please report any issues you find in our github page. Thanks!

This is another a very significant release which includes the continued outstanding work of the following Google Summer of Code Projects:

OWASP OWTF - INBOUND PROXY WITH MiTM & CACHING CAPABILITIES by Bharadwaj Machiraju (Dedicated Mentor: Krzysztof Kotowicz, Co-Mentors: Javier Marcos de Prado, Martin Johns, Abraham Aranguren)

OWASP OWTF - Multiprocessing  by Ankush Jindal (Dedicated Mentor: Andrés Riancho, Co-Mentor: Abraham Aranguren)

OWASP OWTF - Reporting by Assem Chelli (Dedicated Mentor: Gareth Heyes, Co-Mentors: Johanna Curiel, Azeddine Islam Mennouchi, Hani Benhabiles, Abraham Aranguren)
  • Project Plan document <-- FEEDBACK Welcome!
  • The prototypes and voting poll will become public on Thursday this week, stay tuned :)

OWASP OWTF - Unit Test Framework by Alessandro Fanio González (Dedicated Mentor: Andrés Morales, Co-Mentor: Abraham Aranguren)

Usual background + Disclaimer:
OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp
WARNING: This tool unites many great tools, websites, knowledge and their associated power, please hack responsibly and always have permission. That being said, happy pwnage :)

Some links:
- Project page
- You will probably get the most out of this tool if you look at the Presentation Slides first.
- Download the bleeding edge version of OWTF
- Download the latest stable version of OWTF
- Subscribe to the OWTF mailing list
- We're also on #owtf within freenode (IRC)

OWTF would just not be possible without all the people that contributed in one way or another. All contributors to date got a T-shirt this year, to all of you: Thank you!

(Picture above is courtesy of @an_animal (Thanks!)

Change log since OWTF 0.20 "Summer Storm I" (Full change log is here):

09/08/2013 - 0.30 "Summer Storm II" alpha release: Dedicated to Alessandro Fanio Gonzalez (@alessandrofg), Ankush Jindal (@ankushjindal278), Assem Chelli (@assem-ch), Bharadwaj Machiraju (@tunnelshade), their mentors: Andrés Morales, Andrés Riancho, Gareth Heyes, Krzysztof Kotowicz, and their co-mentors: Abraham Aranguren, Azeddine Islam Mennouchi, Hani Benhabiles, Javier Marcos de Prado, Johanna Curiel, Martin Johns.
+ Extracting the HTML generated by the reporting system from Python modules into independent Jinja2 template files <==> Assem Chelli (@assem-ch)
+ Added some features to the Testing Framework. Added tests that cover approximately the 45% of the code of the OWTF Framework. <==> Alessandro Fanio Gonzalez (@alessandrofg)
+ Added support for test coverage reports and test logs in HTML. <==> Alessandro Fanio Gonzalez (@alessandrofg)
+ Spawing multiple processes on the basis of targets and then handling the input, stopping of the targets <==> Ankush Jindal(@ankushjindal278)
+ Centerlized log function <==> Ankush Jindal(@ankushjindal278)
+ Generic messaging system with pull and push facility differently and database handler to use messaging for DB transaction in multiprocessing<==> (@ankushjindal278)
+ Draft inbound proxy is replaced by a new inbound proxy <=> Bharadwaj Machiraju (@tunnelshade)
+ Inbound proxy is capable of caching and saving the transactions <=> Bharadwaj Machiraju (@tunnelshade)
+ Inbound proxy is capable of cookie filters. <=> Bharadwaj Machiraju (@tunnelshade)