Sunday, 5 October 2014

OWTF 1.0 "Lionheart" released!

UPDATE: 10/10/2014 - Added link to OWTF 1.0 "Lionheart": Automated Rankings

OWTF 1.0 "Lionheart" (beta) is dedicated to everybody that helped make this challenging release happen, in particular to the courage of all this people, who overcame their sweat, blood and tears to make OWTF the amazing tool it is now, to all of you, thank you!

We would like to take this opportunity to thank all contributors, mentors, everybody who sent us cool ideas, feedback or reported bugs, you all played a role in making OWTF be what is is now, many thanks to you all!.

Some links:

OWTF 1.0 “Lionheart” (beta) is our biggest release ever, this contains many cool projects implemented by many , so, in no particular order, here is a quick overview of the new major features! :)


NOTE: For a more detailed explanation please see OWTF 1.0 "Lionheart": Automated Rankings

When testing a bunch of web applications, OWTF will append the ranking associated with each target for an easy quick overview.



More information can be retrieved when accessing to one specific target report. Here, OWTF uses labels and color codes to help the user reviewing the results.mixed_risks3.png

Sexy Web UI + REST API + Database by Bharadwaj Machiraju






  • OWTF now features a Web UI from where you can run scans, plugins, etc.
  • RESTful API to send commands to OWTF!
  • Highly performant postgres database






  • Interactively send HTTP requests to a target
  • Record and play Zest scripts
  • Pass interesting HTTP requests to ZAP using the ZAP API



  • WAF bypasser by Marios Kourtesis

    Detecting blocked characters and searching for bypasses:
    Fuzzing with XSS payloads:



    OWASP OWTF - State Improvements by Viyat Bhalodia








    Improved Plug-n-hack support by Punga Cornel

    Plug-n-Hack is a proposed Mozilla standard.
    Now OWTF supports Plug-n-Hackv2, which allows you to intercept, change and fuzz client side messages!


    configuration page (nightly version).png


    configuration commands to injected probe.png



    monitor events message.png


    Online passive scanner, Boilerplate templates and Flexible Mappings by Anirudh Anand



    • Online Boilerplate templates: Easy to copy-paste stuff into your pentest reports (i.e. mitigation, etc.)
    • Passive Online scanner: Try some of the OWTF passive tests without installing anything! :)
    • Flexible mappings: OWTF will now let you view plugins by OWASP Top 10, OWASP Testing Guide v4, OWASP Testing Guide v3 and even NIST! :)

    demo.jpg