[Owasp-leaders] OWTF 1.0 "Lionheart": Call for testers + GSoC Participation Poll results

Aaron Guzman aaron.guzman at owasp.org
Tue Sep 16 18:00:25 UTC 2014


Abraham,


Ive done a brief intro to our Los Angeles Chapter on OWTF back in July. Ive
received very positive feedback as well. I personally use OWTF and ZAP on
every pen test. Typically I use OWTF for recon and such then move over to
ZAP for the manual  testing.

I will continue to use OWTF as it gets updated.

Keep up the great work!

On Mon, Sep 15, 2014 at 7:08 PM, Abraham Aranguren <
abraham.aranguren at owasp.org> wrote:

> Hi Dave/Gregory,
>
> Thank you very much for the kind words!
> I would like to start this by saying that I love ZAP, I use it
> personally all the time and I have used it in a training course,
> including the interception feature, with 0 complaints so far :)
>
> To summarise, and just for background, OWTF is completely different from
> ZAP -and Minion and ThreadFix :)- in 3 major ways:
> - OWTF is a tool aggregator + a third party website aggregator + has its
> own tests too (i.e. we don't do just aggregation or scanning, we do *both*)
> - OWTF *aims to* to cover much more ground (i.e. everything :P): Network
> security, tests through third party websites, google hacking, the whole
> OWASP testing guide, PTES, etc.
> - OWTF's report is interactive: The pentester *can* clean-up the false
> positives, add the false negatives plus anything else they found on
> their own, as well as PoC screenshots, notes, etc.
>
> To those lucky enough to make it to Brucon this year, don't miss out the
> 3 x brucon 5x5 OWTF talks -Lots of cool things coming, including some
> 0-day I've heard ;)-:
> http://2014.brucon.org/index.php/Schedule
>
> re current OWTF <=> ZAP cooperation:
> OWTF and ZAP are trying to cooperate already, in fact, one of our GSoC
> projects this year was about "Zest and ZAP integration", which Simon
> mentored himself, thank you Simon! :).
> We have a lot of room for improvement on documentation but we are trying
> to get there:
> 1) You can see "ZAP" on the OWTF wiki here (again, this needs to be
> moved to github.io, WIP!):
> https://github.com/owtf/owtf/wiki
>
> 2) OWTF Zest & ZAP Integration demo:
>
> http://www.youtube.com/watch?v=-Q_tHX0zexo&list=PL3SqEmKhsxzwr0r5foEguBULoxphVj_hh&index=2
>
> 3) You can also setup ZAP as the outbound proxy for OWTF, and therefore
> give ZAP all the HTTP traffic that way (which might work well in small
> assessments, but ZAP would really struggle to catch up with traffic,
> slow everything down and make the tester lose valuable results,
> especially on large assessments) <-- OWTF's proxy is built over python's
> tornado, last year OWTF's proxy was benchmarked as the fastest python
> proxy ever created (thanks to the tornado trick + the exemplary
> pre-implemetation research and project execution by super-smart
> Bharadwaj, not my merit), a Java proxy *cannot* catchup with this kind
> of speed (try Burp and you'll kill it too :P).
> Example: By default, in a multi-target assesment, if you have 4
> processors, OWTF may proxify 4 x w3af/arachni/nikto scanning processes
> (each of which will use many threads), this is OK for OWTF, but too much
> for a Java proxy. You can also change OWTF's configuration to use more
> scanning processes per processor too (i.e. 2 processes per processor
> usually works well to me).
>
> 4) Similarly, you can setup ZAP to use OWTF as an external proxy and get
> all of the power of the OWTF grep plugins on top of the ZAP awesomeness.
> So you can chain the OWTF and ZAP MiTM proxies in any way you want :).
>
> Other details & considerations:
> Obviously, although ZAP is great (and I use it all the time personally),
> OWTF will find more than ZAP every single time, especially on "point and
> click low hanging fruit assessments" for the simple reason that ZAP will
> never find more than ALL the tools + tests OWTF will launch *combined*:
> hoppy, nikto, w3af, arachni, skipfish and many others plus the tests
> OWTF implements internally.
>
> OWTF and ZAP are completely different tools with completely different
> goals: It's not "one or the other", it's both. I tend to use both in my
> own assessments.
>
> ZAP is great for tactical fuzzing during manual testing: The Java speed
> issues are not a big concern for localised testing (i.e. let me see if I
> can XYZ on *this* *screen* OR the screens under *this* *directory*). I
> would never launch ZAP (or Burp!) against 30 urls because it would
> struggle with that, this is the kind of assessment where OWTF tends to
> do (a lot) better.
>
> OWTF does a lot of things that ZAP does not do (or aim to do), including
> and not limited to: Network  security, WAF bypass testing, Social
> Engineering, Let the user review and eliminate false positives, let the
> user take screenshots and notes, let the user test ahead of permission
> through third party websites, provide the user with Google Hacking
> searches, and a very long etc. <-- so we are trying to cover
> significantly more ground, we are not competing tools, there are
> similarities and there is some overlap, but our goals, coverage and
> approach are completely different.
>
> OWTF provides an interface to manage notes, screenshots, human ranking
> of findings, etc. testing performed with *other* tools as well as from
> OWTF itself, whether launched by OWTF *and/or* manually by the tester
> *externally* (aka "whatever you did by hand"). A major difference from
> OWTF to most other scanners is this: OWTF gives you a report that you
> *can* and *should* change. Another beauty of OWTF is that if scanners 1
> and 2 had trouble with "website X", you still got the results from
> scanners 3, 4 and 5 to have *some* coverage.
>
> Then many tests, like the passive ones, use third party websites, the
> point being:
>
> http://www.slideshare.net/abrahamaranguren/legal-and-efficient-web-app-testing-without-permission
> <-- which is something ZAP does not do or afaik intend to do. The
> "passive" tests ZAP has are really *semi-passive* (i.e. they do touch
> the target), only slightly overlap with some of our semi-passive tests,
> and 0 from our passive tests.
>
> Methodology-wise the following might be helpful to get the drift of OWTF
> -i.e. we are applying chess playing techniques to security testing,
> basically :)-:
>
> http://www.slideshare.net/abrahamaranguren/pentesting-like-a-grandmaster-bsides-london-2013
>
> So "plugging OWTF into ZAP" is complex, but we do have methods to
> cooperate and we are already trying to -OWTF is all about "cooperating
> with other tools", and ZAP is no exception ;)-. On the OWTF => ZAP
> front, we just need to find ways to pass on the information without
> overwhelming/crashing ZAP.
>
> Things might make more sense looking at previous presentations:
> http://www.slideshare.net/abrahamaranguren/presentations
> or these (some talks were recorded):
> http://blog.7-a.org/search/label/OWTF%20Talks
>
> Maybe IRC (#owtf on freenode), GTalk or Skype would be a better place to
> answer questions,
>
> If you arrived this far, thank you for your patience and let me know
> (maybe off list!) if I managed to clarify anything :)
>
> Abe
>
> On 09/13/2014 06:08 PM, Gregory Disney wrote:
> > I'm sure its pluggable into ZAP since it's python, and ZAP integrated
> > sqlmap which is python.
> > -Greg
> >
> > On Sat, Sep 13, 2014 at 8:10 AM, Dave Wichers <dave.wichers at owasp.org
> > <mailto:dave.wichers at owasp.org>> wrote:
> >
> >     Abraham,
> >
> >     I surfed the OWTF site briefly and its very impressive. Great job.
> >
> >     My question is how does OWTF relate to ZAP? ZAP has the best web
> >     scanning
> >     capabilities of any free tool out there. I don't see any mention
> >     of ZAP in
> >     the OWTF documentation (and search returned no matches either).
> >
> >     If there isn't any relationship, why not?
> >
> >     With respect.
> >
> >     -Dave
> >
> >     -----Original Message-----
> >     From: owasp-leaders-bounces at lists.owasp.org
> >     <mailto:owasp-leaders-bounces at lists.owasp.org>
> >     [mailto:owasp-leaders-bounces at lists.owasp.org
> >     <mailto:owasp-leaders-bounces at lists.owasp.org>] On Behalf Of Abraham
> >     Aranguren
> >     Sent: Friday, September 12, 2014 10:41 PM
> >     To: owasp-leaders at lists.owasp.org
> >     <mailto:owasp-leaders at lists.owasp.org>; owasp_owtf at lists.owasp.org
> >     <mailto:owasp_owtf at lists.owasp.org>;
> >     owasp_owtf_developers at lists.owasp.org
> >     <mailto:owasp_owtf_developers at lists.owasp.org>
> >     Subject: [Owasp-leaders] OWTF 1.0 "Lionheart": Call for testers +
> GSoC
> >     Participation Poll results
> >
> >     Dear OWASP / OWTF friends,
> >
> >     We are about to release OWASP OWTF 1.0 "Lionheart" ahead of
> >     Brucon, this is
> >     our biggest release ever and need your help!
> >
> >     *OWTF 1.0 "Lionheart" is inminent, *please* help us:
> >     1) Testing the bleeding edge branch
> >     here<https://github.com/owtf/owtf/tree/lions_2014>:
> >     https://github.com/owtf/owtf/tree/lions_2014
> >     2) Reporting bugs here: https://github.com/owtf/owtf/issues*
> >     -other <https://github.com/owtf/owtf/issues*%0A-other> options:
> >     tutorials, demos, documentation, bug fixes, ideas,
> >     suggestions, and any other form of contribution you can think of :)-
> >
> >     How to get started:
> >
> >       * Intro: http://owtf.github.io/
> >
> >       * Usage Documentation: http://docs.owtf.org/
> >
> >       * Tutorials / Demos /
> >         Talks: https://www.youtube.com/user/owtfproject/playlists
> >
> >       * Passive online scanner (try some of the features from your
> >     browser,
> >         no need to install
> >         anything): http://owtf.github.io/online-passive-scanner/
> >
> >
> >     For those interested in the motivation behind students who
> >     participate in
> >     GSoC, I compiled the following poll results from among OWASP OWTF
> >     GSoC 2014
> >     participants:
> >     NOTE: 15 answers, 10 x submitted + 5 x did not submit, interesting
> >     read imho
> >
> http://blog.7-a.org/2014/09/owtf-10-lionheart-call-for-testers-gsoc.html
> >
> >     Have a great weekend and thank you in advance for all your help! :)
> >
> >     Abe
> >
> >     P.S. RTs welcome!
> https://twitter.com/owtfp/status/510610426376499201
> >
> >
> >
> >     _______________________________________________
> >     OWASP-Leaders mailing list
> >     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> >     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >     _______________________________________________
> >     OWASP-Leaders mailing list
> >     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> >     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
Aaron G
Twitter: @scriptingxss
Linkedin: http://lnkd.in/bds3MgN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140916/c497ea00/attachment-0001.html>


More information about the OWASP-Leaders mailing list