MCPcopy
hub / github.com/owtf/owtf

github.com/owtf/owtf @v2.6.0 sqlite

repository ↗ · DeepWiki ↗ · release v2.6.0 ↗
1,428 symbols 5,122 edges 371 files 582 documented · 41%
README

Offensive Web Testing Framework

Build
Status License (3-Clause
BSD) python_2.7 python_3.6

OWASP OWTF is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST so that pentesters will have more time to

  • See the big picture and think out of the box
  • More efficiently find, verify and combine vulnerabilities
  • Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions
  • Perform more tactical/targeted fuzzing on seemingly risky areas
  • Demonstrate true impact despite the short timeframes we are typically given to test.

The tool is highly configurable and anybody can trivially create simple plugins or add new tests in the configuration files without having any development experience.

Note: This tool is however not a silverbullet and will only be as good as the person using it: Understanding and experience will be required to correctly interpret tool output and decide what to investigate further in order to demonstrate impact.

Requirements

OWTF is developed on KaliLinux and macOS but it is made for Kali Linux (or other Debian derivatives)

OWTF supports both Python2 and Python3.

OSX pre-requisites

Dependencies: Install Homebrew (https://brew.sh/) and follow the steps given below:

$ python3 -m venv ~/.virtualenvs/owtf
$ source ~/.virtualenvs/owtf/bin/activate
$ brew install coreutils gnu-sed openssl
# We need to install 'cryptography' first to avoid issues
$ pip install cryptography --global-option=build_ext --global-option="-L/usr/local/opt/openssl/lib" --global-option="-I/usr/local/opt/openssl/include"

Installation

Recommended:

  • docker is installed (https://www.docker.com/products/docker-desktop)

Using a virtualenv is highly recommended!

Create and start the PostgreSQL database server

Please make sure you have Docker installed!

Run make startdb to create and start the PostgreSQL server in a Docker container. In the default configuration, it listens on port 5342 exposed from Docker container.

Manual setup (painful and error-prone)

You can also use a script to this for you - find it in scripts/db_setup.sh. You'll need to modify any hardcoded variables if you change the corresponding ones in owtf/settings.py.

Start the postgreSQL server,

  • macOS: brew install postgresql and pg_ctl -D /usr/local/var/postgres start
  • Kali: sudo systemctl enable postgresql; sudo systemctl start postgresql or sudo service postgresql start

Create the owtf_db_user user,

  • macOS: psql postgres -c "CREATE USER $db_user WITH PASSWORD '$db_pass';"
  • Kali: sudo su postgres -c "psql -c \"CREATE USER $db_user WITH PASSWORD '$db_pass'\""

Create the database,

  • macOS: psql postgres -c "CREATE DATABASE $db_name WITH OWNER $db_user ENCODING 'utf-8' TEMPLATE template0;"
  • Kali: sudo su postgres -c "psql -c \"CREATE DATABASE $db_name WITH OWNER $db_user ENCODING 'utf-8' TEMPLATE template0;\""

Installing OWTF

  • pip install git+https://github.com/owtf/owtf#egg=owtf or clone the repo and python setup.py develop.
  • owtf and open localhost:8009 for the OWTF web interface or owtf --help for all available commands.

Features

  • Resilience: If one tool crashes OWTF, will move on to the next tool/test, saving the partial output of the tool until it crashed.
  • Flexible: Pause and resume your work.
  • Tests Separation: OWTF separates its traffic to the target into mainly 3 types of plugins:
  • Passive : No traffic goes to the target
  • Semi Passive : Normal traffic to target
  • Active: Direct vulnerability probing
  • Extensive REST API.
  • Has almost complete OWASP Testing Guide(v3, v4), Top 10, NIST, CWE coverage.
  • Web interface: Easily manage large penetration engagements easily.
  • Interactive report:
  • Automated plugin rankings from the tool output, fully configurable by the user.
  • Configurable risk rankings
  • In-line notes editor for each plugin.

License

Checkout LICENSE

Code of Conduct

Checkout Code of Conduct

Links

Core symbols most depended-on inside this repo

format
called by 199
owtf/utils/formatters.py
get
called by 178
owtf/db/model_base.py
get_resources
called by 85
owtf/managers/resource.py
get
called by 67
owtf/webapp/src/utils/request.js
HtmlString
called by 52
owtf/plugin/helper.py
resource_linklist
called by 44
owtf/plugin/helper.py
success
called by 38
owtf/api/handlers/base.py
CommandDump
called by 36
owtf/plugin/helper.py

Shape

Method 633
Function 577
Class 191
Route 27

Languages

Python77%
TypeScript23%

Modules by API surface

owtf/managers/transaction.py43 symbols
owtf/requester/base.py37 symbols
owtf/managers/target.py36 symbols
owtf/plugin/helper.py33 symbols
owtf/managers/worker.py27 symbols
owtf/plugin/runner.py26 symbols
owtf/lib/exceptions.py26 symbols
owtf/proxy/proxy.py23 symbols
owtf/utils/file.py22 symbols
owtf/api/handlers/base.py22 symbols
owtf/utils/strings.py21 symbols
owtf/transactions/base.py21 symbols

Dependencies from manifests, versioned

babel-core6.26.0 · 1×
babel-loader7.1.4 · 1×
babel-plugin-emotion9.1.0 · 1×
babel-polyfill6.26.0 · 1×
babel-preset-env1.6.1 · 1×
babel-preset-react6.24.1 · 1×
babel-preset-stage-06.24.1 · 1×
chalk2.3.2 · 1×
circular-dependency-plugin4 · 1×
classnames2.2.5 · 1×
clean-webpack-plugin0.1.19 · 1×
css-loader0.28.11 · 1×

For agents

$ claude mcp add owtf \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact