Pentesting like a grandmaster with owtf

Pentest like a Grandmasterwith OWTFViyat Bhalodia

OWASP OWTF Project co-lead

viyat.bhalodia@owasp.org

Offensive Web Testing Framework

● Written mostly in Python

● Originally started by Abraham Aranguren (@7a_, Cure53)

● Highly extensible with plugins (default and user-defined!)

● Based heavily on OWASP, NIST and PTES testing standards

● Introduced at Brucon, BSides London, BSides Berlin, OWASP AppsecEU.

● One of OWASP’s highly active, mature flagship projects!

● Why ? tl;dr - pentester efficiency and reducing the boring parts of the engagement

Funded by

● OWASP

● Google (through Google Summer of Code 2013, 2014, 2016)

● BruCon

● ElearnSecurity

● Cure53

Used by security teams around the world including Cure53, Google Zurich, Samsung security team!

Pentester requirements for a framework

- Automate the uncreative part of pentests like trying to remember how to launch tool ‘X’ or how to parse and feed the output of tool ‘X’ to tool ‘Y’.

- Organize the findings according to a testing guide like OWASP, NIST etc.. to use them as a checklist.

- Classify tests based on aggression levels to prepare ahead of time.

- Provide the ability to rank the findings and add notes to the report

- Analyse each and every HTTP transaction and make them searchable.

- Act as a storage consisting of all useful online tools, dorks, POCs & resources.

- Allow us to think and not get in our way <— important!

Chess player approach

Chess players:• Memorise openings• Memorise endings• Memorise entire lines of attack/defence• Try hard to analyse games efficiently

Pentester translation:1. Find + prep exploits for opponent weaknesses

2. Precompute an obscure opening: best replies analysed for weeks

Efficient Analysis

From Alexander Kotov (famous chess player) - "Think like a Grandmaster":

1. Draw a list of candidate moves (3-4) 1st sweep (!deep)

- Draw up a list of candidate paths of attack

2. Analyse each variation only once (!) 2nd sweep (deep)

- Analyse [ tool output + other info ] once and only once

3. After step 1 and 2 make a move

- After 1) and 2) exploit the best path of attack

Putting it all togetherin

OWASP OWTF

tl;dr: OWTF’s chess-like approach

Run tools

- theHarvester, wpscan- Nikto, whatweb- Skipfish, w3af- Arachni,

Run tests directly

- Crafted requests- Header searches- HTTP response

grepping- Server type, version

Knowledge base

- PoC links- Resource links- Testing guide mappings

Help user analysis

- Automated rankings- User notes- User rankings- Interactive report

Plugin classification

Web Net Auxiliary

Passive

No traffic to the target

Semi passive

Normal traffic to the target

Active

Active vulnerability probing

Grep

Compliment Semi passive

External

External resources

Demo time!

Questions?

OWTF - github.com/owtf/owtf

Visit owtf.org or owtf.github.io for more information!