OWASP OWTF - Bharadwaj `tunnelshade` Machiraju 

I am a security tool developer (recent tool - Flashbang). a restless 20 year old from India. a senior at IIT (BHU), Varanasi (doing B.Tech). an employee @ _____ (Your company name can be here). 

Content of upcoming slides OWTF! - Why? What? How? User Interface Plugins & Control Inbound Proxy Transaction & URL log Notes & Ranking Advanced Filter Demo 

Why another Web Testing Framework? 

Pentester Requirements (Atleast OWTF dev team’s requirements) Automate the uncreative part of pentests like trying to remember how to launch tool ‘X’ or how to parse and feed the output of tool ‘X’ to tool ‘Y’. Organize the findings according to a testing guide like OWASP, NIST etc.. so as to use them as a checklist. Classify tests based on aggression levels to prepare ahead of time. Provide the ability to rank the findings to enable targeted fuzzing on seemingly risky areas. Analyse each and every HTTP transaction and make them searchable. Spider the site effectively to not miss anything. Act as a storage consisting of all useful online tools, dorks, POCs & resources. Free & Open Source (Indians love free stuff) Allow us to think and not get in our way <— XD 

No content

What is OWTF? Offensive Web Testing Framework = Test/Exploit ASAP Started by Abraham Aranguren First demonstrated at BerlinSides 2011 Formally, a framework which presents all the information from different tools and custom tests, in an organised and categorised way to help user concentrate on the analysis part 

How? Run Tools • theHarvester • Nikto • Arachni • w3af etc.. Run Tests directly • Crafted requests • Header searches • html body searches etc.. Knowledge Repo • POC Links • Resource Links • Test guide mappings Help User Analysis • Automated ranking • User notes • User rankings 

No content

Features 

Web Interface 

Plugin classification Plugins are separated into multiple groups and types for better test classification WEB - (Web related stuff) Active - Active vulnerability probing Semi Passive - Normal traffic to target Passive - No traffic to target Grep - Searches on transaction database External - Other tool inputs, POCs, resource links etc.. NET - (Somewhat like mmap scripts) AUX - (Somewhat like msfcli in metasploit) 

No content

Plugin Execution Control Plugins are executed by processes called workers which can be paused/resumed/ aborted/added/removed. This lets you handle deadly unwanted disturbances like internet outage, downed target etc.. 

Inbound Proxy OWTF has its own proxy, which was benchmarked in the last year as fastest MiTM python proxy. This proxy enables user to use it in a browser or with any other tool. Most of the tools launched by OWTF are proxified (eg. Arachni, w3af, custom requests etc..). So all the transactions made by the scanners are logged and analysed 

Transaction Log The place from where you can search each and every transaction that happened through OWTF proxy. 

No content

URL Log OWTF scrubs the output of all tools/plugins run to gather as many URLs as possible. This is somewhat "cheating" but tremendously effective since it combines the results of different tools, including several tools that perform brute forcing of files and directories. 

Plugin Reports Plugin reports are categorised according to their test codes along with pentester explanations 

Notes & Ranking Plugin report provides you the facility to write down some notes and add your own analysis ranking to it. Some tool outputs are automatically ranked using an automated ranking library PTP developed for OWTF during GSoC 2014. This helps you find risky areas quickly. 

Advanced Filter Filtering the plugin outputs on various criteria along with the facility to change the mapping of test codes. Currently OWASP v3, OWASP v4, NIST are present by default. It is easy to add one yourself 

http://youtu.be/Z3D1r755Wik 

OWTF WAF-bypasser & Botnet Mode - Marios Kourtesis 

whoami name.surname[at]gmail[dot]com OWASP OWTF Contributor Author of Botnet Mode WAF-bypasser 

Botnet Mode Allows user to simulate a botnet attack. Generates traffic to the target by other hosts located all over the world. 

How does it work? Proxy-Switching Each HTTP request pass through a different proxy. Proxies are fetched automatically by a feature called ProxyMiner. TOR-Mode Each HTTP request will pass through tor network. After a user defined time interval, the IP address will get renewed. 

Botnet Mode Demo 

No content

WAF-Bypasser WAF-bypasser is a standalone project which is included into OWTF as a module. Analyses & tests the quality of web application firewalls. Can potentially detect WAFs security holes. During the development, a zero day was found to OWASP-CRS for Apache ModSecurity WAF module 

WAF-bypasser DEMO 1 WAF-bypasser DEMO 2 

OWTF Re-architecture - Alessandro Fanio González 

Who am I? 23-year-old software engineer. I work at Eleven Paths, a company dedicated to development of security products. OWTF Contributor since GSoC 2013. 

What is this presentation about? The importance of good practices in software development. The difficulties of building and maintaining a software project. Best practices and patterns in software development. 

Why software engg. presentation at a security conference? New features are great, but maintainability is important. We all want our tools to be used and maintained, but will you assume the cost? Sometimes it is necessary to stop and think… Can I improve my code? 

Important concepts Interface Component coupling SOLID principles Single Responsibility Principle Interface Segregation Principle Dependency Inversion Principle 

Previous OWTF Architecture Many responsibilities in one single object. Core-dependent architecture. Tightly coupled components. 

Implemented Architecture How do we define a component? Initialization process. Service Locator pattern. Split “fat” interfaces and re- assign responsibilities. Use of python’s abstract base class. 

Achieved Goals! Reduced coupling among modules and core of OWTF. Less complexity = Easier to find bugs. Reduced the impact of changes (SOLID principles). Made it easier to change implementation of a component. 

Contact Us Alessandro Fanio González @AlessandroFG27 [email protected] Bharadwaj Machiraju @tunnelshade_ [email protected] Marios Kourtesis [email protected] http://owtf.org @owtfp http://github.com/owtf #owtf on freenode