OWTF - Web Testing Framework - Linux
Am Saturday, 11. Feb 2012 im Topic 'Pentest'
Features
--------
- OWASP Testing Guide-oriented: owtf will try to classify the findings as closely as possible to the OWASP Testing Guide
- Report updated on the fly: As soon as each plugin finishes or sometimes before (i.e. after each vulnerability scanner finishes)
- "Scumbag spidering": Instead of implementing yet another spider (a hard job), owtf will scrub the output of all tools/plugins run to gather as many URLs as possible. This is somewhat "cheating" but tremendously effective since it combines the results of different tools, including several tools that perform brute forcing of files and directories.
- Resilience: If one tool crashes owtf will move on to the next tool/test, saving the partial output of the tool until it crashed
- Easy to configure: config files are easy to read and modify
- Easy to run: No strange parameters, DB setup requirements, libraries, complex dependencies, etc
- Full control of what tests to run, interactivity and hopefully easy to follow examples and help :)
- Easy to review trasaction log and plain text files with URLs, simple for scripting
- Basic Google Hacking without (annoying) API Key requirements via "blanket searches", trying a bunch of operators at once, you can then narrow the search down if you find something interesting.
- Easy to extract data from the database to parse or pass to other tools: They are all text files
Download
https://github.com/7a/owtf/tree/master/releases
General configuration: Tool locations, Icons for review, Default settings, etc
owtf_dir/profiles/general/default.cfg
Defines how tools will be run + external links to useful resources and online tools
owtf_dir/profiles/resources/default.cfg
Defines the order in which web plugins will be run
owtf_dir/profiles/web_plugin_order/default.cfg
Internal framework configuration:
owtf_dir/framework/config/framework_config.cfg
--------
- OWASP Testing Guide-oriented: owtf will try to classify the findings as closely as possible to the OWASP Testing Guide
- Report updated on the fly: As soon as each plugin finishes or sometimes before (i.e. after each vulnerability scanner finishes)
- "Scumbag spidering": Instead of implementing yet another spider (a hard job), owtf will scrub the output of all tools/plugins run to gather as many URLs as possible. This is somewhat "cheating" but tremendously effective since it combines the results of different tools, including several tools that perform brute forcing of files and directories.
- Resilience: If one tool crashes owtf will move on to the next tool/test, saving the partial output of the tool until it crashed
- Easy to configure: config files are easy to read and modify
- Easy to run: No strange parameters, DB setup requirements, libraries, complex dependencies, etc
- Full control of what tests to run, interactivity and hopefully easy to follow examples and help :)
- Easy to review trasaction log and plain text files with URLs, simple for scripting
- Basic Google Hacking without (annoying) API Key requirements via "blanket searches", trying a bunch of operators at once, you can then narrow the search down if you find something interesting.
- Easy to extract data from the database to parse or pass to other tools: They are all text files
Download
https://github.com/7a/owtf/tree/master/releases
General configuration: Tool locations, Icons for review, Default settings, etc
owtf_dir/profiles/general/default.cfg
Defines how tools will be run + external links to useful resources and online tools
owtf_dir/profiles/resources/default.cfg
Defines the order in which web plugins will be run
owtf_dir/profiles/web_plugin_order/default.cfg
Internal framework configuration:
owtf_dir/framework/config/framework_config.cfg