[Owasp-leaders] OWTF 1.0 "Lionheart": Call for testers + GSoC Participation Poll results

Abraham Aranguren abraham.aranguren at owasp.org
Tue Sep 16 02:08:47 UTC 2014


Hi Dave/Gregory,

Thank you very much for the kind words!
I would like to start this by saying that I love ZAP, I use it
personally all the time and I have used it in a training course,
including the interception feature, with 0 complaints so far :)

To summarise, and just for background, OWTF is completely different from
ZAP -and Minion and ThreadFix :)- in 3 major ways:
- OWTF is a tool aggregator + a third party website aggregator + has its
own tests too (i.e. we don't do just aggregation or scanning, we do *both*)
- OWTF *aims to* to cover much more ground (i.e. everything :P): Network
security, tests through third party websites, google hacking, the whole
OWASP testing guide, PTES, etc.
- OWTF's report is interactive: The pentester *can* clean-up the false
positives, add the false negatives plus anything else they found on
their own, as well as PoC screenshots, notes, etc.

To those lucky enough to make it to Brucon this year, don't miss out the
3 x brucon 5x5 OWTF talks -Lots of cool things coming, including some
0-day I've heard ;)-:
http://2014.brucon.org/index.php/Schedule

re current OWTF <=> ZAP cooperation:
OWTF and ZAP are trying to cooperate already, in fact, one of our GSoC
projects this year was about "Zest and ZAP integration", which Simon
mentored himself, thank you Simon! :).
We have a lot of room for improvement on documentation but we are trying
to get there:
1) You can see "ZAP" on the OWTF wiki here (again, this needs to be
moved to github.io, WIP!):
https://github.com/owtf/owtf/wiki

2) OWTF Zest & ZAP Integration demo:
http://www.youtube.com/watch?v=-Q_tHX0zexo&list=PL3SqEmKhsxzwr0r5foEguBULoxphVj_hh&index=2

3) You can also setup ZAP as the outbound proxy for OWTF, and therefore
give ZAP all the HTTP traffic that way (which might work well in small
assessments, but ZAP would really struggle to catch up with traffic,
slow everything down and make the tester lose valuable results,
especially on large assessments) <-- OWTF's proxy is built over python's
tornado, last year OWTF's proxy was benchmarked as the fastest python
proxy ever created (thanks to the tornado trick + the exemplary
pre-implemetation research and project execution by super-smart
Bharadwaj, not my merit), a Java proxy *cannot* catchup with this kind
of speed (try Burp and you'll kill it too :P).
Example: By default, in a multi-target assesment, if you have 4
processors, OWTF may proxify 4 x w3af/arachni/nikto scanning processes
(each of which will use many threads), this is OK for OWTF, but too much
for a Java proxy. You can also change OWTF's configuration to use more
scanning processes per processor too (i.e. 2 processes per processor
usually works well to me).

4) Similarly, you can setup ZAP to use OWTF as an external proxy and get
all of the power of the OWTF grep plugins on top of the ZAP awesomeness.
So you can chain the OWTF and ZAP MiTM proxies in any way you want :).

Other details & considerations:
Obviously, although ZAP is great (and I use it all the time personally),
OWTF will find more than ZAP every single time, especially on "point and
click low hanging fruit assessments" for the simple reason that ZAP will
never find more than ALL the tools + tests OWTF will launch *combined*:
hoppy, nikto, w3af, arachni, skipfish and many others plus the tests
OWTF implements internally.

OWTF and ZAP are completely different tools with completely different
goals: It's not "one or the other", it's both. I tend to use both in my
own assessments.

ZAP is great for tactical fuzzing during manual testing: The Java speed
issues are not a big concern for localised testing (i.e. let me see if I
can XYZ on *this* *screen* OR the screens under *this* *directory*). I
would never launch ZAP (or Burp!) against 30 urls because it would
struggle with that, this is the kind of assessment where OWTF tends to
do (a lot) better.

OWTF does a lot of things that ZAP does not do (or aim to do), including
and not limited to: Network  security, WAF bypass testing, Social
Engineering, Let the user review and eliminate false positives, let the
user take screenshots and notes, let the user test ahead of permission
through third party websites, provide the user with Google Hacking
searches, and a very long etc. <-- so we are trying to cover
significantly more ground, we are not competing tools, there are
similarities and there is some overlap, but our goals, coverage and
approach are completely different.

OWTF provides an interface to manage notes, screenshots, human ranking
of findings, etc. testing performed with *other* tools as well as from
OWTF itself, whether launched by OWTF *and/or* manually by the tester
*externally* (aka "whatever you did by hand"). A major difference from
OWTF to most other scanners is this: OWTF gives you a report that you
*can* and *should* change. Another beauty of OWTF is that if scanners 1
and 2 had trouble with "website X", you still got the results from
scanners 3, 4 and 5 to have *some* coverage.

Then many tests, like the passive ones, use third party websites, the
point being:
http://www.slideshare.net/abrahamaranguren/legal-and-efficient-web-app-testing-without-permission
<-- which is something ZAP does not do or afaik intend to do. The
"passive" tests ZAP has are really *semi-passive* (i.e. they do touch
the target), only slightly overlap with some of our semi-passive tests,
and 0 from our passive tests.

Methodology-wise the following might be helpful to get the drift of OWTF
-i.e. we are applying chess playing techniques to security testing,
basically :)-:
http://www.slideshare.net/abrahamaranguren/pentesting-like-a-grandmaster-bsides-london-2013

So "plugging OWTF into ZAP" is complex, but we do have methods to
cooperate and we are already trying to -OWTF is all about "cooperating
with other tools", and ZAP is no exception ;)-. On the OWTF => ZAP
front, we just need to find ways to pass on the information without
overwhelming/crashing ZAP.

Things might make more sense looking at previous presentations:
http://www.slideshare.net/abrahamaranguren/presentations
or these (some talks were recorded):
http://blog.7-a.org/search/label/OWTF%20Talks

Maybe IRC (#owtf on freenode), GTalk or Skype would be a better place to
answer questions,

If you arrived this far, thank you for your patience and let me know
(maybe off list!) if I managed to clarify anything :)

Abe

On 09/13/2014 06:08 PM, Gregory Disney wrote:
> I'm sure its pluggable into ZAP since it's python, and ZAP integrated
> sqlmap which is python. 
> -Greg
>
> On Sat, Sep 13, 2014 at 8:10 AM, Dave Wichers <dave.wichers at owasp.org
> <mailto:dave.wichers at owasp.org>> wrote:
>
>     Abraham,
>
>     I surfed the OWTF site briefly and its very impressive. Great job.
>
>     My question is how does OWTF relate to ZAP? ZAP has the best web
>     scanning
>     capabilities of any free tool out there. I don't see any mention
>     of ZAP in
>     the OWTF documentation (and search returned no matches either).
>
>     If there isn't any relationship, why not?
>
>     With respect.
>
>     -Dave
>
>     -----Original Message-----
>     From: owasp-leaders-bounces at lists.owasp.org
>     <mailto:owasp-leaders-bounces at lists.owasp.org>
>     [mailto:owasp-leaders-bounces at lists.owasp.org
>     <mailto:owasp-leaders-bounces at lists.owasp.org>] On Behalf Of Abraham
>     Aranguren
>     Sent: Friday, September 12, 2014 10:41 PM
>     To: owasp-leaders at lists.owasp.org
>     <mailto:owasp-leaders at lists.owasp.org>; owasp_owtf at lists.owasp.org
>     <mailto:owasp_owtf at lists.owasp.org>;
>     owasp_owtf_developers at lists.owasp.org
>     <mailto:owasp_owtf_developers at lists.owasp.org>
>     Subject: [Owasp-leaders] OWTF 1.0 "Lionheart": Call for testers + GSoC
>     Participation Poll results
>
>     Dear OWASP / OWTF friends,
>
>     We are about to release OWASP OWTF 1.0 "Lionheart" ahead of
>     Brucon, this is
>     our biggest release ever and need your help!
>
>     *OWTF 1.0 "Lionheart" is inminent, *please* help us:
>     1) Testing the bleeding edge branch
>     here<https://github.com/owtf/owtf/tree/lions_2014>:
>     https://github.com/owtf/owtf/tree/lions_2014
>     2) Reporting bugs here: https://github.com/owtf/owtf/issues*
>     -other <https://github.com/owtf/owtf/issues*%0A-other> options:
>     tutorials, demos, documentation, bug fixes, ideas,
>     suggestions, and any other form of contribution you can think of :)-
>
>     How to get started:
>
>       * Intro: http://owtf.github.io/
>
>       * Usage Documentation: http://docs.owtf.org/
>
>       * Tutorials / Demos /
>         Talks: https://www.youtube.com/user/owtfproject/playlists
>
>       * Passive online scanner (try some of the features from your
>     browser,
>         no need to install
>         anything): http://owtf.github.io/online-passive-scanner/
>
>
>     For those interested in the motivation behind students who
>     participate in
>     GSoC, I compiled the following poll results from among OWASP OWTF
>     GSoC 2014
>     participants:
>     NOTE: 15 answers, 10 x submitted + 5 x did not submit, interesting
>     read imho
>     http://blog.7-a.org/2014/09/owtf-10-lionheart-call-for-testers-gsoc.html
>
>     Have a great weekend and thank you in advance for all your help! :)
>
>     Abe
>
>     P.S. RTs welcome! https://twitter.com/owtfp/status/510610426376499201
>
>
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>




More information about the OWASP-Leaders mailing list