Introduction to OWTF (class presentation). It covers the basic features of OWTF and the philosophy behind the framework. Material from previous @7a_ 's presentations and @tunnelshade.

1. Pentest like a Grandmaster
with OWTF
Viyat Bhalodia
OWASP OWTF Project co-lead
viyat.bhalodia@owasp.org

2. Offensive Web Testing Framework
● Written mostly in Python
● Originally started by Abraham Aranguren (@7a_, Cure53)
● Highly extensible with plugins (default and user-defined!)
● Based heavily on OWASP, NIST and PTES testing standards
● Introduced at Brucon, BSides London, BSides Berlin, OWASP AppsecEU.
● One of OWASP’s highly active, mature flagship projects!
● Why ? tl;dr - pentester efficiency and reducing the boring parts of the
engagement

3. Funded by
● OWASP
● Google (through Google Summer of Code 2013, 2014, 2016)
● BruCon
● ElearnSecurity
● Cure53
Used by security teams around the world including Cure53, Google Zurich,
Samsung security team!

4. Pentester requirements for a framework
- Automate the uncreative part of pentests like trying to remember how to launch
tool ‘X’ or how to parse and feed the output of tool ‘X’ to tool ‘Y’.
- Organize the findings according to a testing guide like OWASP, NIST etc.. to
use them as a checklist.
- Classify tests based on aggression levels to prepare ahead of time.
- Provide the ability to rank the findings and add notes to the report
- Analyse each and every HTTP transaction and make them searchable.
- Act as a storage consisting of all useful online tools, dorks, POCs & resources.

5. Chess player approach
Chess players:
• Memorise openings
• Memorise endings
• Memorise entire lines of attack/defence
• Try hard to analyse games efficiently
Pentester translation:
1. Find + prep exploits for opponent weaknesses
2. Precompute an obscure opening: best replies analysed for weeks

6. Efficient Analysis
From Alexander Kotov (famous chess player) - "Think like a Grandmaster":
1. Draw a list of candidate moves (3-4) 1st sweep (!deep)
- Draw up a list of candidate paths of attack
2. Analyse each variation only once (!) 2nd sweep (deep)
- Analyse [ tool output + other info ] once and only once
3. After step 1 and 2 make a move
- After 1) and 2) exploit the best path of attack

7. Putting it all together
in
OWASP OWTF

8. tl;dr: OWTF’s chess-like approach
Run tools
- theHarvester, wpscan
- Nikto, whatweb
- Skipfish, w3af
- Arachni,
Run tests directly
- Crafted requests
- Header searches
- HTTP response
grepping
- Server type, version
Knowledge base
- PoC links
- Resource links
- Testing guide mappings
Help user analysis
- Automated rankings
- User notes
- User rankings
- Interactive report

9. Plugin classification
Web Net Auxiliary
Passive
No traffic to
the target
Semi passive
Normal traffic
to the target
Active
Active vulnerability
probing
Grep
Compliment
Semi passive
External
External
resources

10. Demo time!

11. Questions?
OWTF - github.com/owtf/owtf
Visit owtf.org or owtf.github.io for more
information!