Embed Size (px)
Citation preview
Pentest like a Grandmasterwith OWTFViyat Bhalodia
OWASP OWTF Project co-lead
Offensive Web Testing Framework
● Written mostly in Python
● Originally started by Abraham Aranguren (@7a_, Cure53)
● Highly extensible with plugins (default and user-defined!)
● Based heavily on OWASP, NIST and PTES testing standards
● Introduced at Brucon, BSides London, BSides Berlin, OWASP AppsecEU.
● One of OWASP’s highly active, mature flagship projects!
● Why ? tl;dr - pentester efficiency and reducing the boring parts of the engagement
Funded by
● OWASP
● Google (through Google Summer of Code 2013, 2014, 2016)
● BruCon
● ElearnSecurity
● Cure53
Used by security teams around the world including Cure53, Google Zurich, Samsung security team!
Pentester requirements for a framework
- Automate the uncreative part of pentests like trying to remember how to launch tool ‘X’ or how to parse and feed the output of tool ‘X’ to tool ‘Y’.
- Organize the findings according to a testing guide like OWASP, NIST etc.. to use them as a checklist.
- Classify tests based on aggression levels to prepare ahead of time.
- Provide the ability to rank the findings and add notes to the report
- Analyse each and every HTTP transaction and make them searchable.
- Act as a storage consisting of all useful online tools, dorks, POCs & resources.
- Allow us to think and not get in our way <— important!
Chess player approach
Chess players:• Memorise openings• Memorise endings• Memorise entire lines of attack/defence• Try hard to analyse games efficiently
Pentester translation:1. Find + prep exploits for opponent weaknesses
2. Precompute an obscure opening: best replies analysed for weeks
Efficient Analysis
From Alexander Kotov (famous chess player) - "Think like a Grandmaster":
1. Draw a list of candidate moves (3-4) 1st sweep (!deep)
- Draw up a list of candidate paths of attack
2. Analyse each variation only once (!) 2nd sweep (deep)
- Analyse [ tool output + other info ] once and only once
3. After step 1 and 2 make a move
- After 1) and 2) exploit the best path of attack
Putting it all togetherin
OWASP OWTF
tl;dr: OWTF’s chess-like approach
Run tools
- theHarvester, wpscan- Nikto, whatweb- Skipfish, w3af- Arachni,
Run tests directly
- Crafted requests- Header searches- HTTP response
grepping- Server type, version
Knowledge base
- PoC links- Resource links- Testing guide mappings
Help user analysis
- Automated rankings- User notes- User rankings- Interactive report
Plugin classification
Web Net Auxiliary
Passive
No traffic to the target
Semi passive
Normal traffic to the target
Active
Active vulnerability probing
Grep
Compliment Semi passive
External
External resources
Demo time!
Questions?
OWTF - github.com/owtf/owtf
Visit owtf.org or owtf.github.io for more information!
