When it comes to app security, scanning is good, but pen testing is better. That said, we're lucky if we can schedule (and budget for) a web app pen test once a year. Wouldn't it be swell if we could automate the security testing process so it turned up the same weaknesses in QA an attacker would likely try to exploit in Prod? Well, then. You're in luck. OWASP's Offensive Web Testing Framework (OWTF) was designed to help automate the web app pen testing process. By baking the OWTF into your own QA processes, you can benefit from the same knowledge and tools that the bad guys use to attack web apps. Better yet, you can run these tests as frequently as you like for FREE. This presentation will show you how to use the OWTF, helping you improve both the efficiency and effectiveness of your app security testing process.
13. OWTFTECH SPECS
Python 2.7
PostgreSQL database backend
Runs on Linux (Kali 1.x/2.x)
Functions & options exposed via REST API
14. UNDER THE HOOD
curl (https://curl.haxx.se/)
Arachni (http://www.arachni-scanner.com/)
w3af (http://w3af.org/)
skipfish (https://github.com/spinkham/skipfish)
DirBuster (https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)
15. A “FEW” ADDITIONAL TOOLS
CMS Explorer
DNSpider
DNS Recon
Hoppy
HTTPrint
HashCollision
O-Saft
Panoptic
SET
SSL Labs
SSL Cipher Check
WPScan
Slowloris
HTTP Traceroute
Hydra
Metagoofil
Metasploit
Nmap
Nikto
16. TEST SEPARATION BY PLUGIN
Passive : No traffic goes to the target
Semi Passive : Normal traffic to target
Active: Direct vulnerability probing
24. UNDERSTANDING PLUGINS
Three (3) additional types
WEB (active, external, grep, passive, semi-passive)
NET (active, bruteforce)
AUX (se, exploit, etc.)
Spend some time skimming the OWASP Testing Guide for a better understanding of plugin mappings/identifiers
25. ANALYZING RESULTS
Organized by plugin + criticality
Mapping code (e.g., OWTF-CM-008)
Mapping name (e.g., HTTP Methods and XST)
Pen test context (e.g., PUT,TRACE,WebDAV)
HTTP Request & Response
Browse button takes you to output files generated
during the test (if available)
29. MANAGING WORKERS
Scanner process
PID
Target
Plugin
Type
Group
Pause, resume, & abort individual workers
Maximum of one plugin per target will be running at any moment in time
30. MANAGING WORKLISTS
One worklist contains one or more workers
Columns
Time estimate
Target
Plugin Group
Plugin Type
Plugin Name
32. LET’S TALKWORKFLOW (AGAIN)
Add your target
Run your plugins
Analyze the scan results
Copy commands from web UI to CLI
Run command line tools
Analyze the results from the CLI tools
Add notes via the web UI
Generate (export) your report
33. TEST SSL/TLS CONFIG
Filter on ssl (or tls; same results)
Four (4) tests
Output saved to
/pentest_folder/owtf_review/…
34. TEST FOR XSS
Filter on cross site scripting (6 tests)
Also, cross site flashing
DOM-based, reflected, & stored
35. TEST FOR INJECTION FLAWS
Filter on injection (12 tests)
Why stop at SQLi?
SMTP
Code
Command
LDAP
XML
XPath
38. QUICK TIPS
You’ll need to install w3af in Kali
git clone https://github.com/andresriancho/w3af.git
git clone w3af
easy_install upgrade pip
dependencies (script in temp dir)
My UX has been a little buggy
Occasional HTTP 500 error (including first run)
Steer clear of the Default Session
Multiple runs against the same app may overwrite previous scan data
Contribute to the project!
39. YOUR HOMEWORK – TRIAL RUN
Study up on the OWASP Testing Guide
Identify the tests that are relevant to your app(s)
Run your first set of OWTF plugins
Validate and/or expand findings via command line
Add your comments and export your first OWTF report
Feed report findings into bug tracking system
Fix all the things!