reddit hackernews mail facebook facebook linkedin
OWTF

OWTF

A framework which tries to unite great tools and make pentesting more efficient.

OWASP OWTF is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST so that pentesters will have more time to:
- See the big picture and think out of the box
- More efficiently find, verify and combine vulnerabilities
- Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions
- Perform more tactical/targeted fuzzing on seemingly risky areas
- Demonstrate true impact despite the short timeframes we are typically given to test.

The tool is highly configurable and anybody can trivially create simple plugins or add new tests in the configuration files without having any development experience.

Features:
- Resilience: If one tool crashes OWTF, will move on to the next tool/test, saving the partial output of the tool until it crashed.
- Flexible: Pause and resume your work.
- Tests Separation: OWTF separates its traffic to the target into mainly 3 types of plugins: passive, semi passive, active
- Extensive REST API.
- Has almost complete OWASP Testing Guide(v3, v4), Top 10, NIST, CWE coverage.
- Web interface: Easily manage large penetration engagements easily.
- Interactive report:
- Automated plugin rankings from the tool output, fully configurable by the user.
- Configurable risk rankings
- In-line notes editor for each plugin.