Saturday, 7 May 2016

OWTF 2.0a "Tikka Masala" released, plz RT!

It has been a long wait, but finally, OWTF 2.0a "Tikka Masala" is here!
Although partly a tribute to delicious Indian food, this release is especially dedicated to all those hard working Indian contributors who have continously demonstrated their passion, professionalism, brainpower and incredible performance, without which OWTF would not be the awesome tool it is today. This release is named after all of you, thank you!
IMPORTANT: Migrating from 1.0.1 to 2.0a includes breaking changes and requires a complete DB clean and initialisation - use the installer and the script scripts/db_setup.sh to do that. If you are already on the develop branch , you can directly pull the latest changes.
Therefore, if you are coming from an old OWTF version, please run the following commands after downloading OWTF 2.0:
WARNING: This will delete everything in your OWTF database!
  1. bash scripts/db_setup.sh clean
  2. bash scripts/db_setup.sh init

New to OWTF? No problem!

Get it here :)

Release Notes

This release includes many new features and countless bug fixes. This release would not have been possible without the help of a number of pre-GSoC contributors, mentors, and everybody who sent us cool ideas, feedback or reported bugs. In particular, this release is dedicated to our Indian contributors without whom this release would not have been possible. As a wrapper tool that depends on many tools, migration from Kali 1.x to Kali 2.x was a little bumpy: this road saw more bugs fixes/reports from new contributors and users, occasional feature requests and countless fixes (that were long due) which made this release possible.
Important Features and fixes
  • Kali 2.x support
  • Functional tests suite included => build passing(!)
  • Progress bar added to the web interface
  • HTTPrint signatures updated
  • Updated CMS Explorer lists
  • Minimal auxiliary plugin support added back
  • SSL Labs API integration
  • Resolves SQLAlchemy deadlock and improved proxy handling
  • Fixes all Metasploit plugin functionality
  • General UI improvements
  • CWE and OWASP Top 10 mappings
  • Improved worker UI controls = adds Pause All, Resume All functionality
  • Supports Debian-based distributions
  • Target manager UI improvements = bulk delete/remove

Implemented enhancements:
  • xxx_testgroups.cfg should be moved to /profiles #670
  • OWTF takes few steps to start #638
  • Session Modal breaks for large session names #635
  • Check for tools before running commands #632
  • Adding Issue and Pull Request templates #599
  • Debian and Samurai install scripts are not executable. #573
  • Increase readability of manual installation output on terminal. #564
  • Installer Issues #534
  • Passive google searches should use @@@domain@@@ instead of @@@host_path@@@ #529
  • Increase proxy CA security #526
  • Add https://censys.io/ to the passive search #523
  • install/install.py skip sudo password #519
  • Using a remote server #510
  • potential command to add to the install scripts (develop branch) #473
  • Timestamps not present in transaction log #472
  • Evaluate the possible implementation of JS templating for all client-side OWTF interactions #467
  • External XSS plugin resource: XSS Payloads #466
  • What is the hurdle in doing passive scan's #464
  • Rank should collapse the plugin, at least in some cases #459
  • Suggested improvements for the transaction log #458
  • Integration with punk spider for passive tests #457
  • Clean up colours from various tools prior to saving it in a file #456
  • Export targets feature (UI) #454
  • Lack of filters on target page (UI) #453
  • Improve curl commands #446
  • CPU spikes: Lack of Indexing on OWTF db? #444
  • Add “Pause All / Resume All” to the worker monitoring #440
  • Review OWTF CPU usage post-DirBuster #437
  • Smarter Runner #430
  • Unable to “delete all” from worklist on UI #427
  • OWTF should check if postgresql client is installed as well #413
  • External Command Injection plugin link #412
  • Mobile responsive #406
  • [develop] OWTF should start NET plugins when target is an IP #375
  • ImportError: No module named backports.ssl_match_hostname #374
  • Settings > HTTP AUTH #369
  • Setup gemnasium #358
  • Worklist search boxes should not be case sensitive #355
  • Automated Bug reporter improvement #352
  • Possible improvement for the UI worker buttons #350
  • Minor intuitiveness improvements #349
  • Arachni changed from --user-agent to --http-user-agent #347
  • Ensure running postgres before running install script #337
  • Issues on Ubuntu #334
  • OWTF should check if postgres is running #311
  • [zest] Updating the zest jars #293
  • [wapiti] HTML report is not available anymore #287
  • Moving external plugin reports away from targets subreports #111
  • Check if the service that is going to be scanned speaks HTTP before launching ANY web test #108
  • filter by severity feature added #576 (saganshul)
Fixed bugs
  • PostgreSQL Fix in db_setup.sh should use SHOW config_file; #669
  • PostgreSQL Fix in db_setup.sh restarts postgresql daemon in any case #668
  • ConfigDB silently fails when default.cfg not found #666
  • Bash 'which' error in db_setup.sh script #662
  • Improper Set-Cookie header handling in proxy #582
  • Same rank cannot be given to a plugin twice #570
  • Listing plugins option (-l) not working #556
  • Plugin Filter Display not working properly #547
  • Proxy errors (silent) in logs #528
  • Workers do not pick items from worklist #527
  • Unable to open directory from browser #525
  • Error calling make_dirs when a long URL is passed #521
  • [develop] plugin getting stuck stops the whole scan... #515
  • Getting error while running plugins. Error "Oops! Server replied: Bad Request" #481
  • The grep stats for header matche percent are incorrect #470
  • UI doesn't cope with multiple simultaneous tabs / actions? :P #455
  • CPU spikes: Lack of Indexing on OWTF db? #444
  • Bug - "Ops unable to add some targets” #443
  • BUG in “Testing For Ssl-Tls” plugin in latest Kali #442
  • Directory Brute-forcing should be towards the end of the scan #441
  • postgres “idle in transaction” processes occasionally spike CPU usage #438
  • Ocassional Crash after running skipfish #435
  • Occassional failure to close children processes #434
  • Target shuffling #433
  • Bug in MiTM proxy Cookie parser #428
  • Unreasonable use of CPU/memory by postgres / owtf processes #426
  • Nikto plugin not realising when nikto has finished #422
  • bootstrap.sh Fails while Installing in Kali #416
  • ValueError when OWTF is run without postgresql properly configured #414
  • OWTF should check if postgresql client is installed as well #413
  • Add target UI issue #405
  • OWTF-DV-004 semi passive no output #404
  • Transaction Logger Bug #403
  • Adding a Target Issue #402
  • [develop] User overriding the 2nd plugin of a test case to Passing won't update the test case #400
  • Create Zest Script Error #383