Fork me on GitHub

Offensive Web Testing Framework

OWASP OWTF is a project that aims to make security assessments as efficient as possible by automating the manual, uncreative part of pen testing. It provides out-of-box support for the OWASP Testing Guide, the NIST and the PTES standards.

Easy to Use

  • Web UI: Now configure and monitor OWTF via a responsive and powerful interface accessible via your browser.
  • Exposes RESTful APIs to all core OWTF capabilties.
  • Unites popular tools

  • Instead of implementing yet another spider (a hard job), OWTF will scrub the output of all tools/plugins run to gather as many URLs as possible.
  • Scan by various aggression levels: OWTF supports scans which are based on the aggressiveness of the plugins/tools invoked.
  • Extensible OWTF manages tools through 'plugins' making it trivial to add new tools.
  • Use OWTF anywhere!

  • OWTF provides a Dockerfile to run on any platform Docker supports!
  • A new Docker Compose version coming soon...



  • Fastest Python MiTM proxy yet!

    Comprehensive interactive report at end of each scan

    Easy plugin-based system; currently 100+ plugins!

    CLI and web interface





    Video: Release preview





    Tested on Browserstack




    Getting started with OWTF!

    pip install git+https://github.com/owtf/owtf#egg=owtf or clone the repo and python setup.py install

    To run OWTF on Windows or MacOS, use the Dockerfile (requires Docker installed) provided to try OWTF:

    • make docker-build && make docker-run
    • Open ~/.owtf/conf and change SERVER_ADDR: 127.0.0.1 to SERVER_ADDR: 0.0.0.0.
    • Create a virtualenv, virtualenv env and activate it source env/bin/activate.
    • Install and run OWTF.
    • cd owtf/; python setup.py develop && python -m owtf
    • Open localhost:8009 for OWTF web interface.