v2.1a (March 21, 2017)

If you are already on the develop branch , you can directly pull the latest changes.

This release includes many stability and bug fixes. The entire codebase has been refactored to PEP8 (with some custom checks and modified requirements) standards.

New features

  • A revamped installation process, using virtualenv.
  • Moved all user configuration to ~/.owtf/<configuration>.
  • Added a Dockerfile to test OWTF on unsupported systems (macOS and Windows).

Bug fixes

  • Removes old / unused / dead code.
  • Lots of PEP-8 changes.
  • Resolves an old proxy bug in https://github.com/owtf/owtf/commit/e1ba544f1fa9aaedd2d1c90b92ab3f27a6224905.
  • Resolves many proxy SSL errors
  • Fixed severity labels in the UI
  • Improved helper scripts for setting up OWTF
  • Fixed Debian installation scripts to point to Kali rolling.
  • Fixed SIGINT errors in SSL testing scripts.
  • Deprecate support for SamuraiWTF distribution.

View the full changelog here.


v2.0a (May 14, 2016)

IMPORTANT: Migrating from 1.0.1 to 2.0a includes breaking changes and requires a complete DB clean and initialisation - use the installer and the script scripts/db_setup.sh to do that.
NOTE: This will delete all OWTF data from the database, so take a backup if you want ;) bash scripts/db_setup.sh clean bash scripts/db_setup.sh init python install/install.py

If you are already on the develop branch , you can directly pull the latest changes.

This release includes many new features and countless bug fixes. This release would not have been possible without the help of a number of pre-GSoC contributors, mentors, and everybody who sent us cool ideas, feedback or reported bugs. In particular, this release is dedicated to our Indian contributors without whom this release would not have been possible.

Important Features and fixes

  • Kali 2.x support
  • Functional tests suite included => build passing(!) <=> Tao Sauvage (@DePierre)
  • Progress bar added to the web interface <=> Anshul Singhal (@saganshul)
  • HTTPrint signatures updated <=> Rahul Pratap Singh (@RahulPratapSingh)
  • Updated CMS Explorer lists <=> Viyat Bhalodia (@delta24)
  • Minimal auxiliary plugin support added back <=> Amit Gupta (@Darknight–)
  • SSL Labs API integration <=> Pau Ferrer Cid (@pauTE)
  • Resolves SQLAlchemy deadlock and improved proxy handling <=> Viyat Bhalodia (@delta24)
  • Fixes all Metasploit plugin functionality <=> Amit Gupta (@Darknight–)
  • General UI improvements <=> Ayush Singh (@DoomTaper), Anshul Singhal (@saganshul), Sachin Kamath (@sachinkamath)
  • CWE and OWASP Top 10 mappings <=> Amit Gupta (@Darknight–)
  • Improved worker UI controls = adds Pause All, Resume All functionality <=> Viyat Bhalodia (@delta24)
  • Supports Debian-based distributions <=> Wes Renshaw (@C0smos), Karan Desai (@karandesai-96), Sachin Kamath (@sachinkamath)

Full Changelog

Implemented enhancements:

  • xxx_testgroups.cfg should be moved to /profiles #670
  • OWTF takes few steps to start #638
  • Session Modal breaks for large session names #635
  • Check for tools before running commands #632
  • Adding Issue and Pull Request templates #599
  • Debian and Samurai install scripts are not executable. #573
  • Increase readability of manual installation output on terminal. #564
  • Installer Issues #534
  • Passive google searches should use @@@domain@@@ instead of @@@host_path@@@ #529
  • Increase proxy CA security #526
  • Add https://censys.io/ to the passive search #523
  • install/install.py skip sudo password #519
  • Using a remote server #510
  • potential command to add to the install scripts (develop branch) #473
  • Timestamps not present in transaction log #472
  • Evaluate the possible implementation of JS templating for all client-side OWTF interactions #467
  • External XSS plugin resource: XSS Payloads #466
  • What is the hurdle in doing passive scan’s #464
  • Rank should collapse the plugin, at least in some cases #459
  • Suggested improvements for the transaction log #458
  • Integration with punk spider for passive tests #457
  • Clean up colours from various tools prior to saving it in a file #456
  • Export targets feature (UI) #454
  • Lack of filters on target page (UI) #453
  • Improve curl commands #446
  • CPU spikes: Lack of Indexing on OWTF db? #444
  • Add “Pause All / Resume All” to the worker monitoring #440
  • Review OWTF CPU usage post-DirBuster #437
  • Smarter Runner #430
  • Unable to “delete all” from worklist on UI #427
  • OWTF should check if postgresql client is installed as well #413
  • External Command Injection plugin link #412
  • Mobile responsive #406
  • [develop] OWTF should start NET plugins when target is an IP #375
  • ImportError: No module named backports.ssl_match_hostname #374
  • Settings > HTTP AUTH #369
  • Setup gemnasium #358
  • Worklist search boxes should not be case sensitive #355
  • Automated Bug reporter improvement #352
  • Possible improvement for the UI worker buttons #350
  • Minor intuitiveness improvements #349
  • Arachni changed from –user-agent to –http-user-agent #347
  • Ensure running postgres before running install script #337
  • Issues on Ubuntu #334
  • OWTF should check if postgres is running #311
  • [zest] Updating the zest jars #293
  • [wapiti] HTML report is not available anymore #287
  • Display logs in the webUI #271
  • Installed Tool Validation Project #249
  • Run plugins pop up window improvement (UI branch) #243
  • Generate script for creating CA custom OpenVAS during installation #170
  • Explore CMS-Explorer dictionary alternatives for best results #119
  • Moving external plugin reports away from targets subreports #111
  • Check if the service that is going to be scanned speaks HTTP before launching ANY web test #108
  • Form-based authentication #90
  • owtf auto-update option #31
  • filter by severity feature added #576 (saganshul)

Fixed bugs:

  • PostgreSQL Fix in db_setup.sh should use SHOW config_file; #669
  • PostgreSQL Fix in db_setup.sh restarts postgresql daemon in any case #668
  • ConfigDB silently fails when default.cfg not found #666
  • Bash ‘which’ error in db_setup.sh script #662
  • Improper Set-Cookie header handling in proxy #582
  • Same rank cannot be given to a plugin twice #570
  • Listing plugins option (-l) not working #556
  • Plugin Filter Display not working properly #547
  • Proxy errors (silent) in logs #528
  • Workers do not pick items from worklist #527
  • Unable to open directory from browser #525
  • Error calling make_dirs when a long URL is passed #521
  • [develop] plugin getting stuck stops the whole scan… #515
  • Getting error while running plugins. Error “Oops! Server replied: Bad Request” #481
  • The grep stats for header matche percent are incorrect #470
  • UI doesn’t cope with multiple simultaneous tabs / actions? :P #455
  • CPU spikes: Lack of Indexing on OWTF db? #444
  • Bug - “Ops unable to add some targets” #443
  • BUG in “Testing For Ssl-Tls” plugin in latest Kali #442
  • Directory Brute-forcing should be towards the end of the scan #441
  • postgres “idle in transaction” processes occasionally spike CPU usage #438
  • Ocassional Crash after running skipfish #435
  • Occassional failure to close children processes #434
  • Target shuffling #433
  • Bug in MiTM proxy Cookie parser #428
  • Unreasonable use of CPU/memory by postgres / owtf processes #426
  • Nikto plugin not realising when nikto has finished #422
  • bootstrap.sh Fails while Installing in Kali #416
  • ValueError when OWTF is run without postgresql properly configured #414
  • OWTF should check if postgresql client is installed as well #413
  • Add target UI issue #405
  • OWTF-DV-004 semi passive no output #404
  • Transaction Logger Bug #403
  • Adding a Target Issue #402
  • [develop] User overriding the 2nd plugin of a test case to Passing won’t update the test case #400
  • Create Zest Script Error #383
  • [develop] -f does not work #379
  • [develop] Can’t run OWTF more than once against the same target #378
  • [develop] -e does not work when using the CLI #377
  • [develop] -t does not work with -o when using the CLI #376
  • [develop] OWTF should start NET plugins when target is an IP #375
  • ImportError: No module named backports.ssl_match_hostname #374
  • [develop] CLI listing plugins fails #366
  • [develop] Pressing ‘n’ when some tools were not found does not abort OWTF #365
  • [develop] TypeError when assigning a ranking #362
  • wrong permissions on /root/owtf/scripts/db_run.sh? #360
  • Recommended download method fails if bootstrap.sh exists #359
  • Arachni changed from –user-agent to –http-user-agent #347
  • Ensure running postgres before running install script #337
  • Proxychains command investigation #318
  • Workers can be set to Zero #306
  • The report has messy owtf commands with proxychains config #275
  • Bug in install script #259
  • Bug in bug reporter :P #228
  • multiprocessing deadlock #224
  • [lions_2014] Workers disappear sometimes. #223
  • MiTM proxy bug: Secure Connection Failed #222
  • Issues on execution flow UI: Command zombies and inability to stop individual commands #97
  • multiprocessing deadlock #93
  • Don’t run internet resources against intranet sites #37

Closed issues:

  • PostgreSQL Fix in db_setup.sh out-dated? #667
  • list plugin command (-l) for auxiliary plugins not working #647
  • Fix run_tlssled.sh permission #645
  • Bug in progress bar #644
  • Dirbuster Plugin not working #642
  • Re-running plugin from GUI not working properly #639
  • keyboard Interrupt Exception Handling #637
  • Reflected XSS Vulnerability #613
  • File Redundancy #609
  • Verify distribution during installation #607
  • UI Add Targets button bug #605
  • Dependency checks , libraries Should be Installed Automatically. #604
  • Error 301 on fetching updates #603
  • Connection reset by peer - wget #592
  • Suppress apt-get confirmations #585
  • Initial Update #584
  • Db query filter should be updated according to current database #579
  • Installation problem on ubuntu #566
  • IDE specific auto-generated files need to be in gitignore. #562
  • README - GSoC 2016 wiki link broken #561
  • Added SVN-Extractor (issue #485) #550
  • Installation in Kali is not working correctly #544
  • Metagoofil missing in Kali 2.x #542
  • Should run aptitude update before trying to install any packages #540
  • Missing libraries #531
  • Pip Import Error Kali Install #520
  • OWTF develop branch install error in Kali Linux 2.0 #516
  • [develop] broken cookie parser #514
  • [develop] cannot launch any web plugins… #513
  • [develop] crash after install on latest kali: column test_groups.priority does not exist #512
  • owtf install on Kali2 fails - cryptography #509
  • Not giving alternative ips #506
  • Command Execution possible using ‘&’ character in argument #503
  • url encoding not working on command line interface #499
  • Error in handling special characters in url #496
  • url check not working properly #494
  • “msfcli” no longer in metasploit #491
  • Installer fails on latest Kali (develop branch) #474
  • DNSpider will not download #471
  • Metasploit msfcli is deprecated. OWTF plugins should be updated. #469
  • Evaluate the use of extracting URIs from different file inputs #468
  • XSS reports on http://xssposed.org/ #465
  • multiple responsive web ui issues #463
  • Can you guys add feature to scan I2P sites? Eepsites. #461
  • Add Flashbang to OWTF #445
  • Modify run_w3af.sh so that buffer overflow tests are DISABLED #436
  • Clean-up the merged dictionary (duplicate entries) #432
  • Selected pagination setting is not remembered on home page #431
  • Remove websecurify #420
  • Display start time on the worker summary screen #419
  • Installation Issue #409
  • Add Targets more responsive #407
  • SSL Labs Upgrade with new API access #401
  • replace msfcli with msfconsole -x or -r #399
  • Lionhearted won’t launch after install on Kali 1.09 #398
  • error on bootstrap #397
  • redisgned homepage #396
  • option -t not working on develop #390
  • Owtf not starting #385
  • Create docker container for OWTF #382
  • Owtf not working properly with latest version of pip #380
  • Show progress of scan #373
  • Selecting plugs-ins #372
  • Open links in a new tab #371
  • Settings > TOOLS #370
  • Fix permissions #368
  • DNSpider is called with arguments that include the URL scheme #364
  • bootstrap.sh checksum doesn’t match download page #363
  • Web UI icons text pop-up (hovering over explanation) #361
  • “ImportError: No module named adapters” during install #357
  • [Auto-Generated] Minor issue: /bin/sh: 1: /home/valentino/frame/owtf/scripts/extract_urls.sh: Permission denied is not a valid URL and has been ignored, processing continues #353
  • [Auto-Generated] Plugin grep/Application_Configuration_Management@OWASP-CM-004.py failed for target http://some.target.com #351
  • python version to use? #346
  • db.cfg path error. #345
  • Installation fails on Kali Linux #344
  • Debug notes in Installation Script #340
  • Installation fails on Samurai WTF #339
  • improved sslscan #329
  • [Auto-Generated] ValueError: invalid literal for int() with base 10: ‘’ #320
  • [Auto-Generated] Plugin active/HTTP_Methods_and_XST@OWASP-CM-008.py failed for target http://some.target.com #319
  • OWASP Top 10 Mapping #304
  • github.io AND interactive report top SCA tools by platform #303
  • Dependencies Update Option #300
  • [Auto-Generated] Plugin grep/Credentials_transport_over_an_encrypted_channel@OWASP-AT-001.py failed for target http://some.target.com #272
  • [Auto-Generated] Plugin active/Testing_for_SSL-TLS@OWASP-CM-001.py failed for target http://some.target.com #270
  • Current OWTF’s cookies manager is broken #256
  • [Auto-Generated] Unknown owtf error #248
  • CWE compatibility #217
  • OWTF Demos redirects to 404 page. #206
  • OWTF Installation Improvement #192
  • PEP8 Pre-Commit Hook #191
  • Checking for Internal IP Disclosure vunerabilities #165
  • Evaluate the value of OWASP O-shaft and decide if is worth adding to OWTF or not #120
  • Investigate integration with Vivek’s search engine #116
  • Mitigation boiler plate DB #91
  • Travis CI is still broken.. #82
  • Zest integration #49
  • Malego-like transforms for OWTF #35
  • would be nice some listings… #3

Merged pull requests:


v1.0.1 (October 14, 2014)

  • Fixed a major installation bug caused due to wrong handling of requirements by pip

v1.0 (October 05, 2014)


[v0.45.0Winter_Blizzard](https://github.com/owtf/owtf/releases/tag/v0.45.0_Winter_Blizzard) _(January 13, 2014)

DEDICATION

  • GSoC 2013 & OWTF CFP Students
    • Alessandro Fanio Gonzalez (@alessandrofg),
    • Ankush Jindal (@ankushjindal278),
    • Assem Chelli (@assem-ch),
    • Bharadwaj Machiraju (@tunnelshade),
    • Marios Kourtesis (@marioskourtesis),
  • Their mentors:
    • Andrés Morales,
    • Andrés Riancho,
    • Gareth Heyes,
    • Krzysztof Kotowicz (@koto),
  • Their co-mentors:
    • Abraham Aranguren (@7a),
    • Azeddine Islam Mennouchi (@islamoc),
    • Hani Benhabiles (@kroosec),
    • Javier Marcos de Prado,
    • Johanna Curiel,
    • Martin Johns.

Features :

  • OWTF can now be updated using a command line flag <=> Bharadwaj Machiraju (@tunnelshade)
  • Few tools are proxified through OWTF inbound proxy <=> Bharadwaj Machiraju (@tunnelshade)
  • Httprint signatures updated (still updating) <=> Azeddine Islam Mennouchi
  • Plug-n-Hack Phase I implemented in OWTF <=> Bharadwaj Machiraju (@tunnelshade)
  • Travis CI service is under usage for tests <=> Alessandro Fanio Gonzalez (@alessandrofg)
  • OWTF Inbound proxy is made capable of websocket traffic proxying <=> Bharadwaj Machiraju (@tunnelshade)
  • HTTP AUTH support is implemented in OWTF Inbound proxy <=> Bharadwaj Machiraju (@tunnelshade)
  • User can run multiple instances of OWTF <=> Bharadwaj Machiraju (@tunnelshade)
  • Outbound socks proxy support implemented <=> Marios Kourtesis (@marioskourtesis)
  • Added nmap to WAF checks <=> Abraham Aranguren (@7a_)
  • Tor mode added to OWTF <=> Marios Kourtesis (@marioskourtesis)
  • New Installation procedure added to OWTF <=> Bharadwaj Machiraju (@tunnelshade)

Enhancements :

  • Spiders, Robots and Crawlers grep plugin added <=> Bharadwaj Machiraju (@tunnelshade)
  • Web Services passive discovery plugin improved <=> Bharadwaj Machiraju (@tunnelshade)
  • Added and fixed some tests for plugins <=> Alessandro Fanio Gonzalez (@alessandrofg)
  • 40+ Bug fixes

[v0.30Summer_Storm_II](https://github.com/owtf/owtf/releases/tag/v0.30_Summer_Storm_II) _(August 10, 2013)

DEDICATION

  • GSoC 2013 Students
    • Alessandro Fanio Gonzalez (@alessandrofg),
    • Ankush Jindal (@ankushjindal278),
    • Assem Chelli (@assem-ch),
    • Bharadwaj Machiraju (@tunnelshade),
  • Their mentors:
    • Andrés Morales,
    • Andrés Riancho,
    • Gareth Heyes,
    • Krzysztof Kotowicz (@koto),
  • Their co-mentors:
    • Abraham Aranguren (@7a),
    • Azeddine Islam Mennouchi (@islamoc),
    • Hani Benhabiles (@kroosec),
    • Javier Marcos de Prado,
    • Johanna Curiel,
    • Martin Johns.

CHANGELOG

  • Extracting the HTML generated by the reporting system from Python modules into independent Jinja2 template files <==> Assem Chelli (@assem-ch)
  • Added some features to the Testing Framework. Added tests that cover approximately the 45% of the code of the OWTF Framework. <==> Alessandro Fanio Gonzalez (@alessandrofg)
  • Added support for test coverage reports and test logs in HTML. <==> Alessandro Fanio Gonzalez (@alessandrofg)
  • Spawing multiple processes on the basis of targets and then handling the input, stopping of the targets <==> Ankush Jindal(@ankushjindal278)
  • Centerlized log function <==> Ankush Jindal(@ankushjindal278)
  • Generic messaging system with pull and push facility differently and database handler to use messaging for DB transaction in multiprocessing<==> (@ankushjindal278)
  • Draft inbound proxy is replaced by a new inbound proxy <=> Bharadwaj Machiraju (@tunnelshade)
  • Inbound proxy is capable of caching and saving the transactions <=> Bharadwaj Machiraju (@tunnelshade)
  • Inbound proxy is capable of cookie filters. <=> Bharadwaj Machiraju (@tunnelshade)