Skip to content

Latest commit

 

History

History
909 lines (865 loc) · 103 KB

CHANGELOG.md

File metadata and controls

909 lines (865 loc) · 103 KB
Raw

v2.0a Tikka Masala

Full Changelog

Implemented enhancements:

  • xxx_testgroups.cfg should be moved to /profiles #670
  • OWTF takes few steps to start #638
  • Session Modal breaks for large session names #635
  • Check for tools before running commands #632
  • Adding Issue and Pull Request templates #599
  • Debian and Samurai install scripts are not executable. #573
  • Increase readability of manual installation output on terminal. #564
  • Installer Issues #534
  • Passive google searches should use @@@domain@@@ instead of @@@host_path@@@ #529
  • Increase proxy CA security #526
  • Add https://censys.io/ to the passive search #523
  • install/install.py skip sudo password #519
  • Using a remote server #510
  • potential command to add to the install scripts (develop branch) #473
  • Timestamps not present in transaction log #472
  • Evaluate the possible implementation of JS templating for all client-side OWTF interactions #467
  • External XSS plugin resource: XSS Payloads #466
  • What is the hurdle in doing passive scan's #464
  • Rank should collapse the plugin, at least in some cases #459
  • Suggested improvements for the transaction log #458
  • Integration with punk spider for passive tests #457
  • Clean up colours from various tools prior to saving it in a file #456
  • Export targets feature (UI) #454
  • Lack of filters on target page (UI) #453
  • Improve curl commands #446
  • CPU spikes: Lack of Indexing on OWTF db? #444
  • Add “Pause All / Resume All” to the worker monitoring #440
  • Review OWTF CPU usage post-DirBuster #437
  • Smarter Runner #430
  • Unable to “delete all” from worklist on UI #427
  • OWTF should check if postgresql client is installed as well #413
  • External Command Injection plugin link #412
  • Mobile responsive #406
  • [develop] OWTF should start NET plugins when target is an IP #375
  • ImportError: No module named backports.ssl_match_hostname #374
  • Settings > HTTP AUTH #369
  • Setup gemnasium #358
  • Worklist search boxes should not be case sensitive #355
  • Automated Bug reporter improvement #352
  • Possible improvement for the UI worker buttons #350
  • Minor intuitiveness improvements #349
  • Arachni changed from --user-agent to --http-user-agent #347
  • Ensure running postgres before running install script #337
  • Issues on Ubuntu #334
  • OWTF should check if postgres is running #311
  • [zest] Updating the zest jars #293
  • [wapiti] HTML report is not available anymore #287
  • Display logs in the webUI #271
  • Installed Tool Validation Project #249
  • Run plugins pop up window improvement (UI branch) #243
  • Generate script for creating CA custom OpenVAS during installation #170
  • Explore CMS-Explorer dictionary alternatives for best results #119
  • Moving external plugin reports away from targets subreports #111
  • Check if the service that is going to be scanned speaks HTTP before launching ANY web test #108
  • Form-based authentication #90
  • owtf auto-update option #31
  • filter by severity feature added #576 (saganshul)

Fixed bugs:

  • PostgreSQL Fix in db_setup.sh should use SHOW config_file; #669
  • PostgreSQL Fix in db_setup.sh restarts postgresql daemon in any case #668
  • ConfigDB silently fails when default.cfg not found #666
  • Bash 'which' error in db_setup.sh script #662
  • Improper Set-Cookie header handling in proxy #582
  • Same rank cannot be given to a plugin twice #570
  • Listing plugins option (-l) not working #556
  • Plugin Filter Display not working properly #547
  • Proxy errors (silent) in logs #528
  • Workers do not pick items from worklist #527
  • Unable to open directory from browser #525
  • Error calling make_dirs when a long URL is passed #521
  • [develop] plugin getting stuck stops the whole scan... #515
  • Getting error while running plugins. Error "Oops! Server replied: Bad Request" #481
  • The grep stats for header matche percent are incorrect #470
  • UI doesn't cope with multiple simultaneous tabs / actions? :P #455
  • CPU spikes: Lack of Indexing on OWTF db? #444
  • Bug - "Ops unable to add some targets” #443
  • BUG in “Testing For Ssl-Tls” plugin in latest Kali #442
  • Directory Brute-forcing should be towards the end of the scan #441
  • postgres “idle in transaction” processes occasionally spike CPU usage #438
  • Ocassional Crash after running skipfish #435
  • Occassional failure to close children processes #434
  • Target shuffling #433
  • Bug in MiTM proxy Cookie parser #428
  • Unreasonable use of CPU/memory by postgres / owtf processes #426
  • Nikto plugin not realising when nikto has finished #422
  • bootstrap.sh Fails while Installing in Kali #416
  • ValueError when OWTF is run without postgresql properly configured #414
  • OWTF should check if postgresql client is installed as well #413
  • Add target UI issue #405
  • OWTF-DV-004 semi passive no output #404
  • Transaction Logger Bug #403
  • Adding a Target Issue #402
  • [develop] User overriding the 2nd plugin of a test case to Passing won't update the test case #400
  • Create Zest Script Error #383
  • [develop] -f does not work #379
  • [develop] Can't run OWTF more than once against the same target #378
  • [develop] -e does not work when using the CLI #377
  • [develop] -t does not work with -o when using the CLI #376
  • \[develop\] OWTF should start NET plugins when target is an IP #375
  • ImportError: No module named backports.ssl\_match\_hostname #374
  • [develop] CLI listing plugins fails #366
  • [develop] Pressing 'n' when some tools were not found does not abort OWTF #365
  • [develop] TypeError when assigning a ranking #362
  • wrong permissions on /root/owtf/scripts/db_run.sh? #360
  • Recommended download method fails if bootstrap.sh exists #359
  • Arachni changed from --user-agent to --http-user-agent #347
  • Ensure running postgres before running install script #337
  • Proxychains command investigation #318
  • Workers can be set to Zero #306
  • The report has messy owtf commands with proxychains config #275
  • Bug in install script #259
  • Bug in bug reporter :P #228
  • multiprocessing deadlock #224
  • [lions_2014] Workers disappear sometimes. #223
  • MiTM proxy bug: Secure Connection Failed #222
  • Issues on execution flow UI: Command zombies and inability to stop individual commands #97
  • multiprocessing deadlock #93
  • Don't run internet resources against intranet sites #37

Closed issues:

  • PostgreSQL Fix in db_setup.sh out-dated? #667
  • list plugin command (-l) for auxiliary plugins not working #647
  • Fix run_tlssled.sh permission #645
  • Bug in progress bar #644
  • Dirbuster Plugin not working #642
  • Re-running plugin from GUI not working properly #639
  • keyboard Interrupt Exception Handling #637
  • Reflected XSS Vulnerability #613
  • File Redundancy #609
  • Verify distribution during installation #607
  • UI Add Targets button bug #605
  • Dependency checks , libraries Should be Installed Automatically. #604
  • Error 301 on fetching updates #603
  • Connection reset by peer - wget #592
  • Suppress apt-get confirmations #585
  • Initial Update #584
  • Db query filter should be updated according to current database #579
  • Installation problem on ubuntu #566
  • IDE specific auto-generated files need to be in gitignore. #562
  • README - GSoC 2016 wiki link broken #561
  • Added SVN-Extractor (issue #485) #550
  • Installation in Kali is not working correctly #544
  • Metagoofil missing in Kali 2.x #542
  • Should run aptitude update before trying to install any packages #540
  • Missing libraries #531
  • Pip Import Error Kali Install #520
  • OWTF develop branch install error in Kali Linux 2.0 #516
  • [develop] broken cookie parser #514
  • [develop] cannot launch any web plugins... #513
  • [develop] crash after install on latest kali: column test_groups.priority does not exist #512
  • owtf install on Kali2 fails - cryptography #509
  • Not giving alternative ips #506
  • Command Execution possible using '&' character in argument #503
  • url encoding not working on command line interface #499
  • Error in handling special characters in url #496
  • url check not working properly #494
  • "msfcli" no longer in metasploit #491
  • Installer fails on latest Kali (develop branch) #474
  • DNSpider will not download #471
  • Metasploit msfcli is deprecated. OWTF plugins should be updated. #469
  • Evaluate the use of extracting URIs from different file inputs #468
  • XSS reports on http://xssposed.org/ #465
  • multiple responsive web ui issues #463
  • Can you guys add feature to scan I2P sites? Eepsites. #461
  • Add Flashbang to OWTF #445
  • Modify run_w3af.sh so that buffer overflow tests are DISABLED #436
  • Clean-up the merged dictionary (duplicate entries) #432
  • Selected pagination setting is not remembered on home page #431
  • Remove websecurify #420
  • Display start time on the worker summary screen #419
  • Installation Issue #409
  • Add Targets more responsive #407
  • SSL Labs Upgrade with new API access #401
  • replace msfcli with msfconsole -x or -r #399
  • Lionhearted won't launch after install on Kali 1.09 #398
  • error on bootstrap #397
  • redisgned homepage #396
  • option -t not working on develop #390
  • Owtf not starting #385
  • Create docker container for OWTF #382
  • Owtf not working properly with latest version of pip #380
  • Show progress of scan #373
  • Selecting plugs-ins #372
  • Open links in a new tab #371
  • Settings > TOOLS #370
  • Fix permissions #368
  • DNSpider is called with arguments that include the URL scheme #364
  • bootstrap.sh checksum doesn't match download page #363
  • Web UI icons text pop-up (hovering over explanation) #361
  • "ImportError: No module named adapters" during install #357
  • [Auto-Generated] Minor issue: /bin/sh: 1: /home/valentino/frame/owtf/scripts/extract_urls.sh: Permission denied is not a valid URL and has been ignored, processing continues #353
  • [Auto-Generated] Plugin grep/[email protected] failed for target http://some.target.com #351
  • python version to use? #346
  • db.cfg path error. #345
  • Installation fails on Kali Linux #344
  • Debug notes in Installation Script #340
  • Installation fails on Samurai WTF #339
  • improved sslscan #329
  • [Auto-Generated] ValueError: invalid literal for int() with base 10: '' #320
  • [Auto-Generated] Plugin active/[email protected] failed for target http://some.target.com #319
  • OWASP Top 10 Mapping #304
  • github.io AND interactive report top SCA tools by platform #303
  • Dependencies Update Option #300
  • [Auto-Generated] Plugin grep/[email protected] failed for target http://some.target.com #272
  • [Auto-Generated] Plugin active/[email protected] failed for target http://some.target.com #270
  • Current OWTF's cookies manager is broken #256
  • [Auto-Generated] Unknown owtf error #248
  • CWE compatibility #217
  • OWTF Demos redirects to 404 page. #206
  • OWTF Installation Improvement #192
  • PEP8 Pre-Commit Hook #191
  • Checking for Internal IP Disclosure vunerabilities #165
  • Evaluate the value of OWASP O-shaft and decide if is worth adding to OWTF or not #120
  • Investigate integration with Vivek's search engine #116
  • Mitigation boiler plate DB #91
  • Travis CI is still broken.. #82
  • Zest integration #49
  • Malego-like transforms for OWTF #35
  • would be nice some listings... #3

Merged pull requests:

v1.0.1 (CHANGLOG2.md)

Full Changelog

Implemented enhancements:

  • lbd updated in Kali repos #342

Fixed bugs:

  • Six=>1.4.1 on Kali 1.0.9 x86_64 #332

Closed issues:

  • Botnet mode crashing when importing lists with no alive proxies #343
  • Windows 8.1 Git checkout not working #341
  • 404 on /ui/worklist links #338
  • Please don't encourage users to wget and execute arbitrary code #333

v1.0 (CHANGLOG2.md)

Full Changelog

Implemented enhancements:

  • Make the db configuration simpler #326
  • Adding target error #323
  • kali linux importError no module named tornado.httpserver #321
  • Change all target attributes to lower case #314
  • [DB] (OperationalError) FATAL: password authentication failed #312
  • [db] Shift to postgres needed #297
  • Display transactions interactively #288
  • Option to select/launch all the plugins at once #266
  • [lions_2014] Skipfish is slow as hell with proxyfication #253
  • Installing issue if python-pip package is not found #244
  • Permission Issue (UI branch) #242
  • passive search for defacements #212
  • Improvise grep plugins #157
  • Do not run metagoofil search engine functionality against local RFC1918 IP addresses #154
  • lbd using wrong port to detect load-balancer? #150
  • Grep plugin to search for URLs in transaction db (response bodies) #140
  • Increase in output verbosity #138
  • Use of databases in OWTF #105
  • "Adding new URL to potential DB:" is too slow, also vetting the URL later #102
  • different IPs for same hostname #87
  • Click flow improvements #80
  • Poor command line feedback #77
  • New HTTP methods grep plugin and improving CORS plugin #67
  • Improvement to passive plugins #63
  • Grep plugins command limitations #12
  • PHP Source detection approach #11

Fixed bugs:

  • HTML Injection #325
  • Workers problem #324
  • OWTFSession manager interface bug #313
  • FileLock Exception when accessing a target report #309
  • Proxychains config textbox should be multiline #308
  • Add Target small UI improvement #307
  • Workers are not sharing the plugin load #305
  • [lions_2014] Plugins' results not shown in the report. #294
  • [ui] Plugin launcher bugs #289
  • Bugs with Nikto active plugin #277
  • Error in transaction logger #267
  • The resource type: 'WEBAPPFINGERPRINT' is not defined on '/root/owtf/profiles/resources/default.cfg' #261
  • PTES-008 HTTP_RPC_PORT_NUMBER is missing in default.cfg #258
  • PTES-005 EMC_PORT_NUMBER is missing in default.cfg #257
  • [lions_2014] OWTF aborts when a wrong hostname is specified as a target #255
  • [lions_2014] UnicodeDecodeError in core.outputfunc #252
  • Bug in DirBuster parser #229
  • [lions_2014] PTES-006 Invalid RPORT #227
  • [lions_2014] W3AF is pending forever if run for the first time #225
  • UI branch bugs #221
  • Outstanding reporting bugs #216
  • [Auto-Generated] Plugin grep/[email protected] failed for target http://some.target.com #178
  • Do not run metagoofil search engine functionality against local RFC1918 IP addresses #154
  • Plugin active/[email protected] failed for target https://some.target.com #145
  • CPU spike when opening a 94 url partial report (just the home page!) #100
  • Multiprocessing cpu spikes on multi-target scan #99
  • multiprocessing bug with stack trace .. #98
  • different IPs for same hostname #87
  • Poor command line feedback #77
  • SSI grep plugin bug + passive plugin request #61

Closed issues:

Merged pull requests:

14/01/2014 - 0.45.0 "Winter Blizzard" alpha release: Dedicated to Alessandro Fanio Gonzalez (@alessandrofg), Ankush Jindal (@ankushjindal278), Assem Chelli (@assem-ch), Bharadwaj Machiraju (@tunnelshade), Marios Kourtesis (@marioskourtesis) & their mentors: Andrés Morales, Andrés Riancho, Gareth Heyes, Krzysztof Kotowicz, and their co-mentors: Abraham Aranguren, Azeddine Islam Mennouchi, Hani Benhabiles, Javier Marcos de Prado, Johanna Curiel, Martin Johns.

  • New Feature: OWTF can now be updated using a command line flag <=> Bharadwaj Machiraju (@tunnelshade)
  • Added and fixed some tests for plugins <=> Alessandro Fanio Gonzalez (@alessandrofg)
  • New Feature: Few tools are proxified through OWTF inbound proxy <=> Bharadwaj Machiraju (@tunnelshade)
  • New Feature: Httprint signatures updated (still updating) <=> Azeddine Islam Mennouchi
  • New Feature: Plug-n-Hack Phase I implemented in OWTF <=> Bharadwaj Machiraju (@tunnelshade)
  • Travis CI service is under usage for tests <=> Alessandro Fanio Gonzalez (@alessandrofg)
  • New Feature: OWTF Inbound proxy is made capable of websocket traffic proxying <=> Bharadwaj Machiraju (@tunnelshade)
  • New Feature: HTTP AUTH support is implemented in OWTF Inbound proxy <=> Bharadwaj Machiraju (@tunnelshade)
  • Enhancement: Spiders, Robots and Crawlers grep plugin added <=> Bharadwaj Machiraju (@tunnelshade)
  • Enhancement: Web Services passive discovery plugin improved <=> Bharadwaj Machiraju (@tunnelshade)
  • New Feature: User can run multiple instances of OWTF <=> Bharadwaj Machiraju (@tunnelshade)
  • New Feature: Outbound socks proxy support implemented <=> Marios Kourtesis (@marioskourtesis)
  • New Tool: Added nmap to WAF checks <=> Abraham Aranguren (@7a_)
  • New Feature: Tor mode added to OWTF <=> Marios Kourtesis (@marioskourtesis)
  • New Feature: New Installation procedure added to OWTF <=> Bharadwaj Machiraju (@tunnelshade)
  • 40+ Bug fixes

09/08/2013 - 0.30 "Summer Storm II" alpha release: Dedicated to Alessandro Fanio Gonzalez (@alessandrofg), Ankush Jindal (@ankushjindal278), Assem Chelli (@assem-ch), Bharadwaj Machiraju (@tunnelshade), their mentors: Andrés Morales, Andrés Riancho, Gareth Heyes, Krzysztof Kotowicz, and their co-mentors: Abraham Aranguren, Azeddine Islam Mennouchi, Hani Benhabiles, Javier Marcos de Prado, Johanna Curiel, Martin Johns.

  • Extracting the HTML generated by the reporting system from Python modules into independent Jinja2 template files <=> Assem Chelli (@assem-ch)
  • Added some features to the Testing Framework. Added tests that cover approximately the 45% of the code of the OWTF Framework. <=> Alessandro Fanio Gonzalez (@alessandrofg)
  • Added support for test coverage reports and test logs in HTML. <=> Alessandro Fanio Gonzalez (@alessandrofg)
  • Spawing multiple processes on the basis of targets and then handling the input, stopping of the targets <=> Ankush Jindal(@ankushjindal278)
  • Centralised log function <=> Ankush Jindal(@ankushjindal278)
  • Generic messaging system with pull and push facility differently and database handler to use messaging for DB transaction in multiprocessing<=> (@ankushjindal278)
  • Draft inbound proxy is replaced by a new inbound proxy <=> Bharadwaj Machiraju (@tunnelshade)
  • Inbound proxy is capable of caching and saving the transactions <=> Bharadwaj Machiraju (@tunnelshade)
  • Inbound proxy is capable of cookie filters. <=> Bharadwaj Machiraju (@tunnelshade)

28/06/2013 - 0.20 "Summer Storm I" alpha release: Dedicated to Alessandro Fanio Gonzalez (@alessandrofg), Ankush Jindal (@ankushjindal278), Assem Chelli (@assem-ch) and Bharadwaj Machiraju (@tunnelshade)

  • Port of Abraham Aranguren's network security OSCP scripts into OWASP OWTF <=> Ankush Jindal (@ankushjindal278)
  • Fixed a small bug in the calling of metagoofil, thanks to Adi Mutu (@an_animal) for reporting <=> Bharadwaj Machiraju (@tunnelshade)
  • Added w3af and it's dependencies to install script <=> Bharadwaj Machiraju (@tunnelshade)
  • Fixed scripts/run_arachni.sh to save arachni output files into relevant owtf_review directory - owtf#41 <=> Abraham Aranguren (@7a_)
  • Fixed release name in framework/config/framework_config.cfg <=> Abraham Aranguren (@7a_)
  • Fixed the installation of phply ( a dependency of w3af ) <=> Bharadwaj Machiraju (@tunnelshade)
  • Fixed most PEP standard warnings on owtf.py <=> Abraham Aranguren (@7a_)
  • Fixed most PEP standard warnings on framework/config/health_check.py <=> Abraham Aranguren (@7a_)
  • Minor README fix replacing references from backtrack to Kali <=> Abraham Aranguren (@7a_)
  • Added arachni to install script along with some minor fixes, thanks to @fataku for reporting <=> Bharadwaj Machiraju (@tunnelshade)
  • Fixed unicode urls for dirbuster combined dictionaries <=> Bharadwaj Machiraju (@tunnelshade)
  • Fixed ssl-cipher-check bug Issue - owtf#38 <=> Abraham Aranguren (@7a_)

24/05/2013 - 0.16 "shady citizen" alpha release: Dedicated to Michael Kohl (@citizen428) and Bharadwaj Machiraju (@tunnelshade) for contributing to OWTF, thank you!

  • Created an alternative phishing3.2.2_listenerIP SET script directory to use in profiles/general/default.cfg: <=> Abraham Aranguren (@7a_)
    • The point of this is to be able to simply change the PHISHING_SCRIPT_DIR to use when SET adds an additional "ask listener IP" manual step (happens sometimes)
    • If SET stops asking the MSF listener IP then simply change PHISHING_SCRIPT_DIR back to phishing3.2.2 to use the correct scripts
  • Fixed legacy misspelled "phishing" typo bug around a few files <=> Abraham Aranguren (@7a_)
  • Added external links to assist Credential Transport vulnerability exploitation: SSLStrip, Firesheep, CookieCadger <=> Abraham Aranguren (@7a_)
  • Added external link to SpiderLabs' Blogpost: Adding Anti-CRSF support to Burp Intruder <=> Abraham Aranguren (@7a_)
  • Added Skipfish support via a new Skipfish plugin: Skipfish_Unauthenticated <=> Abraham Aranguren (@7a_)
  • Added Arachni v.0.4.1 support <=> Abraham Aranguren (@7a_)
  • Removed demos directory to place demos in a dedicated repository (https://github.com/owtf/owtf_demos) and keep the main owtf repository more lightweight <=> Abraham Aranguren (@7a_)
  • Removed releases directory to place demos in a dedicated repository (https://github.com/owtf/owtf_releases) and keep the main owtf repository more lightweight <=> Abraham Aranguren (@7a_)
  • Substituted getopt with argparse for argument parsing <=> Abraham Aranguren (@7a_)
  • Fixed www.company.com/subdir issue thanks to Adi Mutu (@an_animal) for reporting it and Bharadwaj Machiraju (@tunnelshade) for fixing it! - owtf#15 <=> Bharadwaj Machiraju (@tunnelshade)
  • Fixed bug on draft Inbound proxy thanks to Bharadwaj Machiraju (@tunnelshade) for finding + fixing it! - owtf#16 <=> Bharadwaj Machiraju (@tunnelshade)
  • Initial Kali Linux port (some tools still missing, the install script needs more work) thanks to Bharadwaj Machiraju (@tunnelshade) for a lot of help on this! <=> Bharadwaj Machiraju (@tunnelshade)
  • Fixed websecurify path, thanks to Anant Shrivastava (@anantshri) for finding and fixing the problem in a pull request! <=> Anant Shrivastava (@anantshri)
  • Kali Linux fix: Removed setrubyenv.sh from default.cfg resource configuration file due to no longer being necessary and because it was stopping execution of ruby tools <=> Abraham Aranguren (@7a_)
  • Improved exception handling in framework/http/requester.py to avoid crashing OWTF for small library things like 'raise BadStatusLine(line)' <=> Abraham Aranguren (@7a_)
  • Kali Linux fix: Fixed DirBuster path and centralised binary name on profiles/general/default.cfg <=> Abraham Aranguren (@7a_)
  • fixed minor pentesting vs. pen testing typo on owtf.py :) <=> Abraham Aranguren (@7a_)
  • Merged new pull request from Bharadwaj Machiraju (@tunnelshade): OWTF restricted dictionary installation and merging scripts thank you! <=> Bharadwaj Machiraju (@tunnelshade)
  • Minor improvements to pull request above after testing (linking raft files instead of copying again, fixing svndigger_raft_dict_merger.py permissions) <=> Abraham Aranguren (@7a_)
  • Added .project files in order to allow importing of OWTF project into Eclipse, revised readme/CONTRIBUTORS and a bug fix in owtf.py <=> Bharadwaj Machiraju (@tunnelshade)
  • Removing big-size binaries from the git repo and purge thier history in order to have a small repository <=> Assem Chelli (@assem-ch)
  • Fixed the plugin listing option. It is no longer necessary to specify a Target when listing plugins. <=> Alessandro Fanio Gonzalez (@alessandrofg)
  • Commented out TOOL_GOOHOST as it is not being called by OWTF (since there are better tools doing same job) <=> Bharadwaj Machiraju (@tunnelshade)
  • Revhosts is replaced by dnsrecon as revhosts is discontinued in kali linux. <=> Bharadwaj Machiraju (@tunnelshade)
  • httprint is added to install script as the tool is not present in kali by default <=> Bharadwaj Machiraju (@tunnelshade)
  • Added missing gnutls-bin package to Kali Linux script <=> Abraham Aranguren (@7a_)
  • Added wrapper install scripts around other install scripts and fixed cms-explorer installation & path <=> Bharadwaj Machiraju (@tunnelshade)
  • Fixed the dictionary path for skipfish <=> Bharadwaj Machiraju (@tunnelshade)
  • Created the AUTHORS file <=> Assem Chelli (@assem-ch)
  • Added script for patching Tlssled and revised master install script <=> Bharadwaj Machiraju (@tunnelshade)
  • Removed misleading note about argparse since owtf.py now uses this library <=> Abraham Aranguren (@7a_)
  • Added checks before installation of dictionaries and updated date for tlssled patch <=> Bharadwaj Machiraju (@tunnelshade)
  • Revised the extract_urls.sh to use DirBuster.txt instead of generated report and other minor fixes <=> Bharadwaj Machiraju (@tunnelshade)
  • Skipfish is now linked to from the report, this was the final step to solve owtf#13 <=> Abraham Aranguren (@7a_)
  • Fixed a bug in invoking nikto (scripts/run_nikto.sh) <=> Bharadwaj Machiraju (@tunnelshade)

24/09/2012 - 0.15 "Brucon" pre-alpha release: Dedicated to Brucon (http://brucon.org), its organisers and attendants

  • Changed name to OWASP OWTF since this is an OWASP project now, thank you OWASP! - https://www.owasp.org/index.php/OWASP_OWTF <=> Abraham Aranguren (@7a_)
  • Bug fix: General clean-up of the bt5_install.sh script + OWTF's tool locations for a smoother install experience, thanks to Xavier Mertens (@xme) for reporting! <=> Abraham Aranguren (@7a_)
  • Bug fix: Removed Slowloris download code from bt5_install.sh script since redistribution was allowed by RSnake and it's packaged with OWASP OWTF <=> Abraham Aranguren (@7a_)
  • Bug fix: Commented out whatweb download from bt5_install.sh since the Backtrack version is now stable, default config also points to Backtrack path now <=> Abraham Aranguren (@7a_)
  • Bug fix: requester.py was referencing "Core.mError" which could sometimes result in the following error: "AttributeError: Core instance has no attribute 'mError'" <=> Abraham Aranguren (@7a_)
  • New feature: Instead of having to use our own nikto binaries, the OWTF's install script will now patch's nikto's poor default user agent (blocked by basic WAF blacklists) <=> Abraham Aranguren (@7a_)
  • Added to Sandro Gauci's Webapp Exploit Payloads to the following external plugins: XSS, CSRF and Cross Site Flashing <=> Abraham Aranguren (@7a_)
  • Added cross-site flashing link to get swfdump from www.swftools.org <=> Abraham Aranguren (@7a_)
  • Added external plugin link to bAdmin project (from whitehat) for default admin interfaces passwords <=> Abraham Aranguren (@7a_)
  • Added xss external plugin link to Gareth's Heyes HackVertor <=> Abraham Aranguren (@7a_)
  • Added xss external plugin link to Mario Heiderich's html5sec.org <=> Abraham Aranguren (@7a_)
  • Changed default UA to a more believable FF15 <=> Abraham Aranguren (@7a_)
  • Added udl filetype to blanket google hacking searches (ica and rdp were already there), thanks to Chema Alonso (@chemaalonso)! <=> Abraham Aranguren (@7a_)
  • Added external cross-site flashing link to Adobe's SWFInvestigator <=> Abraham Aranguren (@7a_)
  • Added external xss link to Krzysztof Kotowicz's Chrome extension exploitation framework (XSS ChEF) <=> Abraham Aranguren (@7a_)
  • Added external xss link to Michal Zalewski's post-XSS ideas on XSS exploitation <=> Abraham Aranguren (@7a_)
  • Added external session management schema link to .NET VIEWSTATE vulnerabilities blog post <=> Abraham Aranguren (@7a_)
  • Added external SQLi plugin link to InfoSec Institute's SQLi Backdoor creation article <=> Abraham Aranguren (@7a_)
  • Added external file extension handling + SQLi link to contagiodump.blogspot.com's Collection of Web Backdoors & Shells <=> Abraham Aranguren (@7a_)
  • Added external file extension handling + SQLi link to Laudanum's Project for shells and utilities <=> Abraham Aranguren (@7a_)
  • Added external Bypassing Authentication Schema plugin link to OWASP's Password Storage Cheat Sheet <=> Abraham Aranguren (@7a_)
  • Added external Clickjacking plugin link to OWASP's ClickJacking article <=> Abraham Aranguren (@7a_)
  • Added external Bypassing Authorisation Schema link to OWASP's Access Control Cheat Sheet <=> Abraham Aranguren (@7a_)
  • Added external plugin link to bAdmin project (from whitehat) for default or guessable user accounts plugin <=> Abraham Aranguren (@7a_)
  • Added external plugin link to OWASP's XSS Filter Evasion Cheat Sheet <=> Abraham Aranguren (@7a_)
  • Added external plugin link to OWASP's XSS Prevention Cheat Sheet <=> Abraham Aranguren (@7a_)
  • Added external plugin link to OWASP's DOM XSS Prevention Cheat Sheet <=> Abraham Aranguren (@7a_)
  • Added external plugin link to OWASP's Web Service Security Cheat Sheet <=> Abraham Aranguren (@7a_)
  • Added external plugin link to OWASP's Transport Layer Protection Cheat Sheet <=> Abraham Aranguren (@7a_)
  • Added external plugin link to OWASP's SQL Injection Prevention Cheat Sheet <=> Abraham Aranguren (@7a_)
  • Added external plugin link to OWASP's Query Parameterization Cheat Sheet (complements SQLi cheat sheet) <=> Abraham Aranguren (@7a_)
  • Added external plugin link to OWASP's Session Management Cheat Sheet <=> Abraham Aranguren (@7a_)
  • Added external plugin link to OWASP's Logging Cheat Sheet <=> Abraham Aranguren (@7a_)
  • Added external plugin link to OWASP's JAAS Authentication Cheat Sheet <=> Abraham Aranguren (@7a_)
  • Added external plugin link to OWASP's Forgot Password Cheat Sheet <=> Abraham Aranguren (@7a_)
  • Added external plugin link to OWASP's Cryptographic Storage Cheat Sheet <=> Abraham Aranguren (@7a_)
  • Added external plugin link to OWASP's Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet <=> Abraham Aranguren (@7a_)
  • Added external plugin link to OWASP's Choosing and Using Security Questions Cheat Sheet <=> Abraham Aranguren (@7a_)
  • Added external plugin link to OWASP's Authentication Cheat Sheet <=> Abraham Aranguren (@7a_)

23/04/2012 - 0.14 "London" pre-alpha release: Dedicated to BSides London (http://www.securitybsides.org.uk/), its organisers and attendants

  • Fixed URL regexp on the link_clicker.py payload for the OWTF imap client Agent <=> Abraham Aranguren (@7a_) It was missing IP-only URLs like: http://192..., regexp changed to: 'http[:0-9a-zA-Z./]+'
  • Upgraded SET spear phishing scripts from SET version 2.5.3 to SET version 3.2.2 <=> Abraham Aranguren (@7a_)
  • Bug fix: Added GetFileAsList and AppendToFile convenience functions (required by some existing code) <=> Abraham Aranguren (@7a_)
  • Added Version information at the bottom of the OWTF banner and arranged some loading messages to suit <=> Abraham Aranguren (@7a_)
  • Added GetCurrentDateTimeAsStr convenience method to the Timer class <=> Abraham Aranguren (@7a_)
  • Added SET script for new payload (19) <=> Abraham Aranguren (@7a_)
  • Replaced /etc/motd by new parameter WORD_TEMPLATE in SET payload script 3, and added parameter to Spear_Phishing plugin <=> Abraham Aranguren (@7a_)
  • Added better error handling to the Spear Phishing handler so that it aborts when a payload script is not found (instead of crashing in SET, after) <=> Abraham Aranguren (@7a_)
  • Fixed SET payload 15 to take advantage of the custom PDF template <=> Abraham Aranguren (@7a_)
  • Added a bit of SET's documentation to the readme directory <=> Abraham Aranguren (@7a_)
  • Commented out the Attachment name modification in the Spear Phishing plugin (sometimes you may want to control this from outside the plugin) <=> Abraham Aranguren (@7a_)
  • Added better exception handling to OWTF's SMTP class so that failure to perform the SMTP Login assumes open relay and moves on (also sent as a patch to SET) <=> Abraham Aranguren (@7a_)
  • Added slightly better message to OWTF's SMTP START TLS exception handling error message <=> Abraham Aranguren (@7a_)
  • Added warning to SET handler when sending blank values <=> Abraham Aranguren (@7a_)
  • Added check to Spear Phishing module to verify the word template exists <=> Abraham Aranguren (@7a_)
  • Improved exception handling on the SMTP class for Targeted Phishing, thanks Sam! <=> Abraham Aranguren (@7a_)

10/04/2012 - 0.13b "HackPra" pre-alpha release: Dedicated to HackPra (http://www.nds.rub.de/teaching/hackpra/), its organisers and attendants

  • Inclusion of slowloris, thanks to RSNake for allowing redistribution! <=> Abraham Aranguren (@7a_)

  • More indentation clean up in various files <=> Abraham Aranguren (@7a_)

  • Fixed bug on DeriveURLSettings: Thanks to Sandro Gauci for reporting! <=> Abraham Aranguren (@7a_) The home-brew parsing was resulting in an error like below with URLs like http://example.com:81 "Aborted by Framework: Cannot resolve Hostname: example.com:81" URL parsing is now done via the urlparse library

  • Fixed bug introduced above whereby urlparse was returning "None" for the port in the summary report: <=> Abraham Aranguren (@7a_) Reintroduced scheme check to handle this case and ensure the port is never blank regardless of URL format

  • Fixed bug similar to the one in DeriveURLSettings on the OWTF Core: <=> Abraham Aranguren (@7a_) IsInScopeURL was parsing the hostname from the URL in a home-brew fashion this worked ok most of the time but in some cases could lead to bugs, core.py is now using urlparse for parsing the hostname from the URL

  • Added regression test shell scripts to tests directory <=> Abraham Aranguren (@7a_)

25/03/2012 - 0.13 "Trooper" pre-alpha release: Dedicated to Troopers (http://www.troopers.de/), its organisers and attendants

  • Inclusion of fuzzdb -allowed by licence- thanks! <=> Abraham Aranguren (@7a_)
  • Inclusion of HashCollision-DOS-POC by Christian Mehlmauer (@FireFart) thanks! <=> Abraham Aranguren (@7a_) Location: owtf_dir/tools/dos/web/HashCollision-DOS-POC More info: https://github.com/FireFart/HashCollision-DOS-POC
  • Installation script cleanup: tools/bt5_install.sh courtesy of Michael Kohl (@citizen428), thanks! <=> Michael Kohl (@citizen428)
  • Minor fixes to scripts/setrubyenv.sh also courtesy of Michael Kohl @citizen428), thanks! <=> Michael Kohl (@citizen428)
  • "set fuzzFormComboValues all" removed from scripts/run_w3af.sh because it may make w3af scans slow, thanks to Adi Mutu (am06) and Andrés Riancho (@w3af)! <=> Abraham Aranguren (@7a_) More info: http://sourceforge.net/mailarchive/forum.php?thread_name=CA%2B1Rt67bN3-2OpB%2B7SOGO7%3D92KWXBMdbaztpa885f%3Du2GzjcFg%40mail.gmail.com&forum_name=w3af-users
  • Created an initial basic targeted phishing plugin to send anything via SMTP: aux/se/[email protected] <=> Abraham Aranguren (@7a_)
  • Created the concept of "OWTF Agents": Small listeners that establish communication channels that allow to perform actions remotely (i.e. in a victim machine) <=> Abraham Aranguren (@7a_)
    • Added sbd-based shared-password OWTF Agent for persistent shell access to other machines to be used during a test (i.e. victim emulation)
    • Added ssh-based trusted-public-key OWTF Agent for an alternative to shared passwords (basic instructions to set this up with ssh)
    • Added initial auxiliary plugins to communicate with OWTF agents: SBD_CommandChainer is working, the others in rce are WIP (see plugins/aux/rce)
    • Added imapd OWTF agent: This checks email with a predefined account and loads the configured plugin to process the message. Example:
      1. OWTF sends a targeted phishing attack via aux/se/[email protected]
      2. An OWTF imapd Agent processes any new email that arrives and emulates a user click for all links found in the message
  • Added initial SMB handler to the framework and a related plugin: aux/smb/[email protected] <=> Abraham Aranguren (@7a_)
  • Added an Interactive Shell handler useful to interact with remote and local shells run in a subprocess <=> Abraham Aranguren (@7a_)
  • Significant SET integration improvements: new OWTF SET handler + spear_phishing modules and plugin/configurability tweaks <=> Abraham Aranguren (@7a_)
  • Added hopefully better comments in several places <=> Abraham Aranguren (@7a_)
  • Started to use Eclipse and Fixed indentation on many framework files :P <=> Abraham Aranguren (@7a_)
  • Bug fix: Commented out goohost shell one liners in profiles/general/default.cfg: When goohost is not installed cat hangs (Thanks to Sandro Gauci) <=> Abraham Aranguren (@7a_)
  • Bug fix: Grep plugins were no longer showing links to Text, HTML, etc findings <=> Abraham Aranguren (@7a_)
  • Added CAPTCHA breaker tool links to external plugin to assist manual exploitation: PWNtcha - captcha decoder, Captcha Breaker <=> Abraham Aranguren (@7a_)
  • Added vulnerability search box to the CAPTCHA external plugin <=> Abraham Aranguren (@7a_)
  • Added links to the "Session managament schema" external plugin: Gareth Hayes' HackVertor, Raul Siles' (Taddong) F5 BIG IP Cookie Decoder <=> Abraham Aranguren (@7a_)
  • Added link to the "SSI Injection" external plugin: webappsec.org SSI Injection info <=> Abraham Aranguren (@7a_)
  • Moved HTTP-Traceroute back into rev_proxy to avoid config changes <=> Abraham Aranguren (@7a_)

10/02/2012 - 0.12 "Wicky" pre-alpha release: Dedicated to @marcwickenden for sending the first pull request!

  • Merged pull request with IPv6 support and proper IP validation from @marcwickenden thanks! <=> Marc Wickenden (@marcwickenden)
  • Added graceful framework abort when a hostname cannot be resolved (instead of python trace mess) <=> Abraham Aranguren (@7a_)
  • Added Hurricane Electric passive recon link to discovery plugin (Thanks to Chris John Riley) <=> Abraham Aranguren (@7a_)
  • Bug fix in plugin_handler.py and plugin_register.py to set a Start, RunTime and End date for external plugins that have been already run but require to be registered against a target to report display purposes. Only happened in separate iterations. <=> Abraham Aranguren (@7a_)
  • Added a Sanitiser module to solve the "embedding untrusted HTML" issue, when POST is the only way to query a third party site. The filter is public and you are encouraged to break it :). An improved filter will be published shortly after each new public bypass. <=> Abraham Aranguren (@7a_) REMARKS:
    • Thank you very much to everybody that took the time to try to break the HTML filter!
    • Congratulations + props to the successful breakers before this release: Mario Heiderich, @notracecc, @dreyercito
    • If you did not try to break the filter, what are you waiting for? :)
    • The challenge will run indefinitely and is available here: http://blog.7-a.org/2012/01/embedding-untrusted-html-xss-challenge.html
  • Clean-up of passive robots.txt plugin to sanitise embedded HTML (via module above) + move this to an external file
  • plugin_helper.py clean-up for flexibility, readability and code reuse around transparent filtering and sandboxing of embedded third-party HTML (related to above)
  • When embedding HTML from a third party site OWTF will: <=> Abraham Aranguren (@7a_)
    1. Filter the HTML using the Sanitiser module above
    2. Save the filtered output to a file
    3. Create a separate file that embeds the filtered output inside a sanboxed iframe (just in case an unpublished bypass whatever ;))
    4. The OWTF report provides a link to the sanboxed file only
    5. Both the sandboxed + non-sandboxed files are saved to another directory = they cannot access HTML 5 localstorage (where your review is), at least in Firefox 8
  • Fixed minor but annoying bug whereby the filter was not showing up when the detailed report was collapsed, so detailed report totals were not being shown <=> Abraham Aranguren (@7a_)
  • Added a more links to assist manual XSS exploitation: http://www.bindshell.net/tools/beef, http://xss-proxy.sourceforge.net/, http://www.gnucitizen.org/projects/backframe/ <=> Abraham Aranguren (@7a_)
  • Integration with CKEditor (http://ckeditor.com/): <=> Abraham Aranguren (@7a_)
    1. Notes now have a full blown WYSIWYG editor -their permissive licensing allows redistribution, thank you!-
    2. Above means you can now take notes with fancy formatting: tables, links, bullet points, font format, size, style, etc (useful for exploit/PoC links, etc)
    3. The OWTF review works as usual but the notes are now saved with their formatting (HTML instead of plain text)
    4. OWTF will show an automated preview on top of the editor, this is always displayed, which makes it more intuitive to see if there are notes present for a plugin
    5. OWTF will also automatically save these formatted notes in the review for resilience: Even if your browser crashes or is closed by mistake you keep what you typed
    6. The OWTF notes preview also modify links so that they are displayed on a new tab (most useful option and consistent with other links in the report)
    7. OWTF will create/destroy CKEditor instances as follows: 1st lightbulb click: create, 2nd click: destroy = report is more lightweight, loads faster, etc
    8. OWTF will destroy all plugin editors when a new one is created: This ensures only resources for a single editor are used at any point in time (report = lightweight)
  • Bug fix: Changing the detailed report iframe size via onload event was messy: Now the iframe is created directly using the initial height defined on: COLLAPSED_REPORT_SIZE <=> Abraham Aranguren (@7a_)
  • Enhancement: Added new review icons to be able to flag certain special cases. Icons can be removed on: profiles/general/default.cfg <=> Abraham Aranguren (@7a_)
    1. LadyBug: Flag functional and/or business logic bugs (it's up to you how you interpret this, as usual)
    2. Empty Star: To flag you had a brief look (already saw it) but no real analysis was done
    3. Half Star: To flag you had an initial look but need to investigate more to be able to rate the output
  • Created an initial help file that is linked to from the OWTF report via question mark icons <=> Abraham Aranguren (@7a_)
  • Some clean-up around review icons code in the report a bit less messy now :P <=> Abraham Aranguren (@7a_)
  • Plugin Review Icons are now highlighted like filters when the user clicks on them as well as when the report loads: More intuitive <=> Abraham Aranguren (@7a_)
  • Multiple bug fixes around Import/Export Review from Summary report (Import was not working at all and other similar problems) <=> Abraham Aranguren (@7a_)
  • Multiple space and colour optimisations in the report <=> Abraham Aranguren (@7a_)
  • An initial Summary Report filter has been implemented, this triggers the same filter on all children iframes, resizing them, etc <=> Abraham Aranguren (@7a_)
  • Added unit tests to allow more efficient testing of the Sanitiser module (i.e. test quickly all previous bypasses against new filter) <=> Abraham Aranguren (@7a_)
  • Made the Sanitiser module a bit smarter so that: <=> Abraham Aranguren (@7a_)
    1. It can be called from the framework: When this happens no tests are run, but all functionality is callable by the framework
    2. It can be called from the commandline: When this happens the Sanitiser expects HTML on stdin (i.e. cat input.txt | sanitiser.py) NOTE: I noticed it was handier to read from stdin (instead of a hard-coded file) so that I can regression test new filters faster
  • Significant report memory usage improvements (single review object shared for all reports, it was num_targets x review + 1 before) <=> Abraham Aranguren (@7a_)
  • Significant report performance improvements: <=> Abraham Aranguren (@7a_)
    1. When the report loads for the first time, counters and colours are calculated and stored in localstorage
    2. Counters will only be updated when the user rates plugins from then on
    3. When the report loads again counters are not calculated (as previously= this was slow), instead they are read from localStorage
  • Lots of small report tweaks to improve navigability, general usability and appearance <=> Abraham Aranguren (@7a_)
  • Added rudimentary reporting functionality via magic bar: Builds a basic report for ease of copy-paste in your reporting <=> Abraham Aranguren (@7a_)
  • Refactored owtf.js into smaller files: owtf_general.js, owtf_review.js, owtf_filter.js and owtf_reporting.js <=> Abraham Aranguren (@7a_)
  • Reorganised dictionaries and tools into "restricted" (i.e. licensing) directories so that they are not committed by mistake to github <=> Abraham Aranguren (@7a_)

19/01/2012 - 0.11 "Vienna" pre-alpha release: Dedicated with special love to BSides Vienna (http://www.bsidesvienna.info/), its organisers and attendants

  • Significant report improvements <=> Abraham Aranguren (@7a_)

  • OWTF will now only execute external plugins once regardless of the number of targets (it was 1 x num_targets before, way slower) <=> Abraham Aranguren (@7a_)

  • Host names are now retrieved properly from python via import socket + socket.gethostbyname -> i.e. cannot use dns/host when /etc/hosts is required in a pen test (Bug report credit: Sandro Gauci) <=> Abraham Aranguren (@7a_)

  • Fixed licence to more accurately match 3-clause-BSD (the intended licence :)) <=> Abraham Aranguren (@7a_)

  • Created initial FAQ based on actual feedback/questions <=> Abraham Aranguren (@7a_)

  • Added new grep + external plugins for HTML5 Cross Origin Resource Sharing (CORS) (OWTF-WGP-002) - Thanks to Krzyzstof Kotowicz for answering my questions + great PoCs :) <=> Abraham Aranguren (@7a_)

  • Added links to interesting resources for manual exploitation, etc on the external CORS plugin (Thanks to Krzysztof Kotowicz) <=> Abraham Aranguren (@7a_)

  • Added links to interesting resources for manual exploitation, etc on the external Cross Site Flashing plugin (Thanks to Krzysztof Kotowicz, Michele Orru, Mario Heiderich) <=> Abraham Aranguren (@7a_)

  • Tweaked cross site flashing passive plugin (google hacking searches) to also search for Silverlight's stuff: clientaccesspolicy.xml, .xap and .scr files <=> Abraham Aranguren (@7a_)

  • Tweaked cross site flashing semi passive plugin to also try to get the clientaccesspolicy.xml file (Silverlight's equivalent to crossdomain.xml) <=> Abraham Aranguren (@7a_)

  • Tweaked regexps for Application Configuration Management (OWASP-CM-004) to reduce false positives <=> Abraham Aranguren (@7a_)

  • Added regexps to Application Configuration Management (OWASP-CM-004) to search for PHP+ASP source code disclosure too <=> Abraham Aranguren (@7a_)

  • Added resources (Nicolas Gregoire's XLT wiki) to XML Injection external plugin (to assist with manual exploitation) <=> Abraham Aranguren (@7a_)

  • Added Nicolas Gregoire's HTTP-Traceroute.py reverse proxy check script to tools/discovery/web/rev_proxy (Thanks to Nicolas for allowing direct redistribution with OWTF!) <=> Abraham Aranguren (@7a_) Added a GET and TRACE reverse proxy checks using HTTP-Traceroute.py to: Infrastructure Configuration Management (OWASP-CM-003) - with WAF and Load Balancer checks - Link for background: http://www.agarri.fr/kom/archives/2011/11/12/traceroute-like_http_scanner/index.html

  • Bug fix: owtf.py -l net (also owtf.py -g net) would crash because there are no net plugins yet: An error message explaining this is now shown instead (Bug report credit: am06, Michele Orru)) <=> Abraham Aranguren (@7a_)

  • Bug fix: semi_passive/[email protected] does no longer show duplicates + minor plugin clean-up <=> Abraham Aranguren (@7a_)

  • Bug fix: Fixed some issues on Transaction DB comparisons that resulted in the Cache not working right <=> Abraham Aranguren (@7a_)

  • Modified web/passive/[email protected] to directly submit the form on tool.motoricerca.info (because it does not work via link, uses POST only) <=> Abraham Aranguren (@7a_)

  • Added Start, End and Runtime fields to Plugin Register + Modified report to display the Start + End Date/Time for each plugin (potentially useful to correlate log events) <=> Abraham Aranguren (@7a_)

  • Added http://statsie.com passive analysis link (on Passive Search Engine Discovery) <=> Abraham Aranguren (@7a_)

  • Created a configuration health-check module by massive popular demand :). When OWTF starts it will now warn you when tools are missing and suggest how to fix it. <=> Abraham Aranguren (@7a_)

  • Created initial rudimentary owtf_dir/tools/bt5_install.sh script (incomplete, but getting there) to download tools missing or unreliable in Backtrack 5 <=> Abraham Aranguren (@7a_)

  • Updated install script (owtf_dir/install/bt5_install.sh) + /profiles/general/default.cfg to include the latest Arachni version (v0.4.0.2) and verified it works <=> Abraham Aranguren (@7a_)

  • Experimental: Created a Command Register (owtf_review/db/command_register.txt) where information on all commands run is stored: <=> Abraham Aranguren (@7a_)

    • Start+End Date/Time, Runtime, Status (Finished/Cancelled), Actual command run, Command without plugin output info (needed internally for the framework)
    • Purpose 1: Avoid running the same command several times, very useful when you have several domain.com targets. A message like "command already run for target X" appears
    • Purpose 2: Simple date and time correlation becomes possible: Useful for debugging and IDS testing (which exploit worked? what command brought the server down?, etc)
    • Purpose 3: It is simply nice to have a log of every command that was run, and questions like "what tools did you run and how?" become easier to answer

  • Added link to Gareth Heyes' awesome http://shazzer.co.uk project to assist with manual XSS exploitation <=> Abraham Aranguren (@7a_)

  • Added Command execution start date/time information on the screen so that the pen tester can make a better decision (wait/stop it) <=> Abraham Aranguren (@7a_)

  • Experimental: Created a redirect detection mechanism so that it is more intuitive to realise when all URLs are being redirected (i.e. blanket redirect from port 80 to 443) <=> Abraham Aranguren (@7a_)

    • Status will be marked as "302 Found": Instead of the previous "200 OK", which did not reflect the redirect (not ideal but better than 200)
    • URL will be set as the redirected URL: This way it is more obvious if the target is http:// but the transaction log is all https://, that there is a blanket redirect
    • Known issue: The scope can be wrong if the redirect is performed to outside of the target URL, need to work more on this

  • Experimental: If the user supplies only domain names, the scope expands to https + http for each domain <=> Abraham Aranguren (@7a_)

  • Experimental: If a passed URL cannot be reached it is removed from the report (assumed it does not exist) -> useful for huge scopes! <=> Abraham Aranguren (@7a_)

06/01/2012 - 0.10 "Berlin" pre-alpha release dedicated to BerlinSides (http://berlinsides.org/), its organisers and attendants

  • Thanks to Mario Heiderich for the sample attack vectors and Selenium research for IDS testing (used by the selenium aux plugin) <=> Abraham Aranguren (@7a_)
  • Passive Plugins will now be run even if the target IP is internal because passive plugins now also make suggestions (i.e. potentially useful commands) <=> Abraham Aranguren (@7a_)
  • Changed blue navigation arrows to + and - gray icons courtesy of http://www.app-bits.com/free-icons.html. plus/minus suggested as more intuitive (Idea Credit: Sandro Gauci) <=> Abraham Aranguren (@7a_)
  • Changed text color to be darker for higher contrast and easier reading :) (Idea Credit: Sandro Gauci) <=> Abraham Aranguren (@7a_)
  • Implemented dynamic counters beside each filter for a quick visual overview and know where data is (with colours too :)) + All icons are now configurable <=> Abraham Aranguren (@7a_)
  • Bug fix: Comments where not being populated back upon screen reload <=> Abraham Aranguren (@7a_)
  • Removed matches table (redundant now because of the counters) and added mechanism to highlight enabled filter icon with blue background: More intuitive, I think <=> Abraham Aranguren (@7a_)
  • Several UI rearrangements to improve navigation and intuitiveness <=> Abraham Aranguren (@7a_)
  • Implemented new CLI option for algorithm: breadth (default): runs each plugin against all targets first. And depth runs all plugins against each target first <=> Abraham Aranguren (@7a_)
  • Massive refactoring/rewrite of significant portions of the framework to support: algorithm, multi-host targets, future net plugins, etc <=> Abraham Aranguren (@7a_)
  • Changed Config to transparently handle multi-target configurations (i.e. self.Core.Config.Get('x') --> 'x' is relevant for the current target) <=> Abraham Aranguren (@7a_)
  • Changed Config to transparently handle multi-target replacements (i.e. self.Core.Config.get_replacement_dict() --> Returns PLACE_HOLDER => VALUE pairs relevant for target) <=> Abraham Aranguren (@7a_)
  • Serious refactoring to dynamically load plugins and plugin types from the file system along with a description of what they do <=> Abraham Aranguren (@7a_)
  • Significant DB refactoring to accomodate to the new multi-host/multi-db problem, created plugin register db and improved DB simulation mode without touching disk <=> Abraham Aranguren (@7a_)
  • Bug fix: New Plugin highlighting upon screen refresh is now working again <=> Abraham Aranguren (@7a_)
  • robots.txt analysis: Added resource: http://tool.motoricerca.info/robots-checker.phtml + changed proxy from hexilion to anonymouse.org + passive robots.txt plugin clean-up <=> Abraham Aranguren (@7a_)
  • Bug fix: Fixed an issue that resulted in many broken report links <=> Abraham Aranguren (@7a_)
  • Significant reporting improvements, including Summary report counters working, etc <=> Abraham Aranguren (@7a_)
  • Transaction Log DB handling improvements and clean up <=> Abraham Aranguren (@7a_)
  • Added "external" plugins so that the pen tester has a way to write down information relevant to external tools and/or manual testing. Will have helpful info in the future. <=> Abraham Aranguren (@7a_)
  • Added initial SSI grep plugin <=> Abraham Aranguren (@7a_)
  • Added OWASP Codes to the detailed report <=> Abraham Aranguren (@7a_)
  • Many more bugs were also fixed .. <=> Abraham Aranguren (@7a_)

01/12/2011 - 0.07 pre-alpha release

  • Fixed bug in spider plugin: Counter incorrect <=> Abraham Aranguren (@7a_)
  • Cache Control Meta tags search added to grep plugin: Logout and Browser Cache Management (OWASP-AT-007) <=> Abraham Aranguren (@7a_)
  • New plugins: autocomplete, cross site flashing <=> Abraham Aranguren (@7a_)
  • Report navigation improved <=> Abraham Aranguren (@7a_)
  • Added option to "Mark as Reviewed", "Mark as NOT Reviewed", "Clear Review", "Clear Review Storage" for more efficient review <=> Abraham Aranguren (@7a_)
  • Reviewed items are stricken-through, so it's easy to see what has not been reviewed yet <=> Abraham Aranguren (@7a_)
  • New plugin results are highlighted in white blackground, so that it is easy for the tester to identify what's new <=> Abraham Aranguren (@7a_)
  • Made seed shorter and flipped top table to be horizontal and take a lot less space off the screen <=> Abraham Aranguren (@7a_)
  • To the right of OWASP Index Item: Removed toggle + moved "show" and "hide" beside plugin tabs, refactor into tabcreator <=> Abraham Aranguren (@7a_)
  • Added basic CSRF grep plugin that looks for hidden fields (in the hope that token will/will not be found) <=> Abraham Aranguren (@7a_)
  • Added basic SQLi google-hacking passive plugin <=> Abraham Aranguren (@7a_)
  • Added DoS grep plugin (show top 10 slowest queries and suggest to view log) <=> Abraham Aranguren (@7a_)
  • Cleared up the HTTP Transactions table: Removed redundant links + Added link to transaction log <=> Abraham Aranguren (@7a_)
  • Added new plugin for Credentials_transport_over_an_encrypted_channel <=> Abraham Aranguren (@7a_)
  • Lots of UI improvements to use screen space better: Now Review, History, Logs, etc have their own tabs <=> Abraham Aranguren (@7a_)
  • Tried to use cool jquery icons but failed miserably: They are displayed but background sucks need a web designer :) <=> Abraham Aranguren (@7a_)
  • Had the bright idea of changing the naming convention, which broke everything for 1day+ <=> Abraham Aranguren (@7a_)
  • Bug fix: All URLs where being logged instead of only the valid ones <=> Abraham Aranguren (@7a_)
  • Bug fix: DoS testing was taking into account transactions out of scope <=> Abraham Aranguren (@7a_)
  • Bug fix: DoS plugin (and DB transaction manager) crashed when transaction DB empty <=> Abraham Aranguren (@7a_)
  • Moved DirBuster to its own plugin: Old, Backup and Unreferenced Files (OWASP-CM-006) <=> Abraham Aranguren (@7a_)
  • Moved each scanner to its own plugin for ease of review and flexibility (i.e. I want to run X but not Y, etc): arachni, wapiti, w3af, etc now have their own plugins <=> Abraham Aranguren (@7a_)
  • Bug fix: Added check on plugin handler so that grep plugins are skipped when Transaction DB is empty (Grep plugins grep the DB so no DB = fail) <=> Abraham Aranguren (@7a_)
  • Bug fix: Vuln search box was broken due to jquery port changes <=> Abraham Aranguren (@7a_)
  • Added check so that passive plugins are not run if the target ip is an RFC1918 address (aka "private" or "LAN" address) <=> Abraham Aranguren (@7a_)
  • Added passive Testing for Admin Interfaces (OWASP-CM-007) <=> Abraham Aranguren (@7a_)
  • Split URL DB into "potential URL" (maybe third-party tool false positive) and "URL" (vetted) DBs -> potential URLs to be checked by spider plugins <=> Abraham Aranguren (@7a_)
  • Improved Extract URLs mechanism to Visit links (adding to DB, which helps grep plugins) if >= 1 active plugin enabled + associated bugfixes, UI and timing improvements <=> Abraham Aranguren (@7a_)
  • Improved log UI to indicate if there are error messages or not without having to click the button + Significant Log UI navigation improvements <=> Abraham Aranguren (@7a_)
  • Implemented persistence via localStorage, serious JavaScript refactoring: Now there is a single Review JSON object, code simplified a lot <=> Abraham Aranguren (@7a_)
  • Made the choice between localStorage and sessvars configurable so that the user can choose and use some form of persistance (sessvars) even on old browsers. <=> Abraham Aranguren (@7a_)
  • Because of above 2 lines the Storage has been abstracted into separate libraries: the abstraction (sessvars or localStorage) is loaded depending on configuration setting <=> Abraham Aranguren (@7a_)
  • Implemented ability to add notes to the results of each plugin, this is saved in the JavaScript storage as well <=> Abraham Aranguren (@7a_)
  • Added a Filter tab at the top that includes the icons available to review each plugin and allows filtering by flag, by comments present, striken-through, etc <=> Abraham Aranguren (@7a_)
  • Fixed lots of bugs in filter above, added "review size" and "total size" columns to top table for visibility of memory in use, the columns are updated on the fly <=> Abraham Aranguren (@7a_)
  • Added a hidden token div inside plugin reports so that the report can detect whether a plugin's content has changed or not: If changed highlight tab background to white <=> Abraham Aranguren (@7a_)
  • Added a counter to the filter so that the user has visibility about how many plugins matched the filter (handy to find bugs too) <=> Abraham Aranguren (@7a_)
  • Made rating flags configurable: the user can now choose which flag icons they wish to view on the screen (i.e. only low, medium and high icons, etc) <=> Abraham Aranguren (@7a_)
  • Added a new Grep plugin based on URL classification for "Old Backup and Unreferenced Files (OWASP-CM-006)" <=> Abraham Aranguren (@7a_)
  • Bug fix: the grep plugin for "Old Backup and Unreferenced Files (OWASP-CM-006)" was showing URLs with 404 responses <=> Abraham Aranguren (@7a_)
  • Bug fix: Solved a storage capacity calculation issue when sessvars was chosen as the JavaScript storage <=> Abraham Aranguren (@7a_)
  • Installed the latest stable whatweb version, which fixed some issues after updating BT5 R1 <=> Abraham Aranguren (@7a_)
  • Enabled filter on load: Refreshing the report will now 1) Click on the Filter tab + 2) Click on the "show completed plugins only" filter => Showing only available info <=> Abraham Aranguren (@7a_)
  • Bug fix: The unique html counter db was being corrupted under special circumstances (6+ multi-runs) <=> Abraham Aranguren (@7a_)
  • Moved suggested commands from active fingerprint to passive: They are only suggested. Also created powerful primitive to suggest commands more efficiently <=> Abraham Aranguren (@7a_)
  • Bug fix: Spider was using the previous DB instead of the one for scraped/potential URLs <=> Abraham Aranguren (@7a_)
  • Bug fix/Enhancement: Serious improvements to CMS Explorer import dictionaries script: Dictionaries are now converted into DirBuster format and CMS-specific <=> Abraham Aranguren (@7a_)
  • After above, created new configuration lines for CMS-specific dictionaries: all, wordpress all, wordpress plugins, etc from the DirBuster format import (thx CMS Explorer). <=> Abraham Aranguren (@7a_)

18/11/2011 - 0.04 pre-alpha release - Lots of improvements, widely unpublished

  • Re-architecture to simplify code a bit more (general clean-up) <=> Abraham Aranguren (@7a_)
  • Lots of bug fixes <=> Abraham Aranguren (@7a_)
  • Implemented (hopefully) robust error/exception handling that facilitates bug reporting and tries to save as much partial data as possible for the user when a crash happens <=> Abraham Aranguren (@7a_)
  • Implemented new HTTP method support in reporter module (HEAD, OPTIONS, TRACE, DEBUG and PUT -PUT still buggy-) <=> Abraham Aranguren (@7a_)
  • Improved DB format and implemented a few caching functions to speed the framework <=> Abraham Aranguren (@7a_)
  • Implemented naming convention to distinguish scope from external DB transactions <=> Abraham Aranguren (@7a_)
  • Implemented logging of transaction parts separately as well as in full: 4 files saved per transaction -> full, request, resp. headers and resp. body <=> Abraham Aranguren (@7a_)
  • Created new Reporting functions to show Transactions as tables easily from plugins (reporter.py: DrawHTTPTransactionTable and relatives) <=> Abraham Aranguren (@7a_)
  • Created new mRandom module to build random strings on the fly <=> Abraham Aranguren (@7a_)
  • Centralised helper functions into a single library called general.py (will consider separating when there are more functions) <=> Abraham Aranguren (@7a_)
  • Improved Transaction log and main report significantly and started to customise CSS a bit <=> Abraham Aranguren (@7a_)
  • Main config.cfg split into framework_config.cfg and user_config.cfg to keep settings separate, the framework loads all settings on the Config object <=> Abraham Aranguren (@7a_)
  • Added outbound proxy support for owtf requests only and a proxy check on start-up <=> Abraham Aranguren (@7a_)
  • Serious refactoring of database and related fixes elsewhere in the framework: Now broken down into: db, url_manager, transaction_manager and run_manager <=> Abraham Aranguren (@7a_)
  • Moved plugin_handler and plugin_helper into a plugin module (aka "directory") <=> Abraham Aranguren (@7a_)
  • Significant improvements in Header Analysis and Reporting <=> Abraham Aranguren (@7a_)
  • Lots of error handling bug fixes <=> Abraham Aranguren (@7a_)
  • Moved transaction.py and requester.py into a http module (aka "directory") <=> Abraham Aranguren (@7a_)
  • Added handy links section to report at the top: OWASP Testing Guide, CVSS advanced calculator, Hackvertor, etc <=> Abraham Aranguren (@7a_)
  • Changed grep plugin behaviour: Grep plugins will automatically be run after semi_passive and then again after active plugins run + always overwritten <=> Abraham Aranguren (@7a_)
  • Built reusable response pattern matching primitives <=> Abraham Aranguren (@7a_)
  • Fixed nasty run DB data corruption bug (only happened on the first 2 runs) <=> Abraham Aranguren (@7a_)
  • Added autocomplete plugin that looks for password fields <=> Abraham Aranguren (@7a_)

01/11/2011 - 0.01 pre-alpha release - Basic proof of concept, widely unpublished :) <=> Abraham Aranguren (@7a_)