Offensive Web Testing Framework

OWASP OWTF makes security assessments as efficient as possible by automating the manual, uncreative part of penetration testing while still supporting OWASP, NIST, and PTES methodologies out of the box.

Download OWTFRead the documentation
OWASP

Flagship project

100+

Plugins and integrations

Interactive

Reporting after every scan

Quick startTerminal
pip install git+https://github.com/owtf/owtf#egg=owtf
owtf --ui

# Docker
make docker-build && make docker-run

Responsive web interface

Configure and monitor OWTF through the browser-based UI included with the project.

Plugin-driven automation

Extend OWTF by adding plugins that orchestrate your favourite assessment tools and workflows.

Works across platforms

Run OWTF anywhere Docker is available, including Windows and macOS environments.

Capabilities

Automation that respects human-driven testing.

OWTF focuses on automating repetitive work while keeping analysts in control. The project is built around extensible plugins and tooling support maintained by the community.

Easy to use

Use the built-in web UI to configure and monitor assessments, and access RESTful APIs for all core capabilities.

  • Responsive management interface
  • REST APIs for automation

Unites popular tools

OWTF scrubs plugin output to gather as many URLs as possible and lets you scan by aggression level across your toolkit.

  • Plugin-based orchestration
  • Multiple aggression levels

Use OWTF anywhere

Run the official Docker image on any platform Docker supports so teams can work from Windows, macOS, or Linux.

  • Docker support
  • Cross-platform workflow

Standards & workflow

Keep methodology, automation, and reporting in sync.

From methodology alignment to evidence delivery, OWTF keeps the flow of a web security assessment organised without sacrificing the analyst’s judgement.

Support established testing standards

OWTF provides out-of-the-box support for the OWASP Testing Guide as well as the NIST and PTES standards, helping teams align with recognised methodologies.

  • OWASP Testing Guide coverage
  • NIST-aligned workflows
  • PTES-ready profiles

Automate repeatable tasks

Gather URLs by scrubbing plugin output, trigger scans by aggression level, and extend coverage by adding new tools through plugins.

  • URL harvesting from tools
  • Aggression-level based scans
  • Extensible plugin system

Report findings with context

OWTF concludes each scan with a comprehensive interactive report so teams can explore evidence and prioritise remediation.

  • Interactive reporting
  • Evidence tracking
  • Team-ready summaries

Get started

Run OWTF today.

These commands mirror the official quick-start guidance so you can install OWTF from source, use the Docker tooling, and open the web UI without extra setup.

Browse documentation
pip install git+https://github.com/owtf/owtf#egg=owtf

Install the latest code straight from the official repository.

make docker-build && make docker-run

Build and launch the Docker environment provided by the project.

owtf --ui

Access the web interface on http://localhost:8009 for live control.