OWTF penetration testing framework combines OWASP Top 10, PTES and NIST

Offensive Web Testing Framework (OWTF) is an Open Web Application Security Project (OWASP) development focused on the efficiency of penetration testing and the alignment of safety testing with marked standards such as the OWASP test guide (v3 and v4), OWASP Top 10, the National Institute of Standards and Technology (NIST) and the Penetration Testing Execution Standard (PTES) so that pentesters have more time to deploy tasks such as:

  • Find, verify, and combine vulnerabilities in an efficient way
  • Have more time to investigate complex vulnerabilities such as business logic, architectural flaws, or virtual hosting sessions
  • Demonstrate a true impact despite the short periods of time normally given to test vulnerabilities

The tool is highly customizable and anyone can create simple plugins or add new tests in the configuration files without having development experience. Nonetheless, this tool is not a full security solution and will only be as good as the pentester using it, as it will require understanding and experience to correctly interpret the result of the tool and decide what to investigate further to demonstrate the impact.

According to pentesting specialists, OWTF main features include:

  • Resiliency: If a tool happens to fail, OWTF will move to the next tool/test, saving the partial output of the tool until it crashes
  • Test Separation: OWTF separates your traffic to the destination into mainly 3 types of plugins
    • Passive: There is no traffic heading to the target
    • Semi passive : normal traffic to the target
    • Active : vulnerability direct probe
  • Web Interface: Easily manage high-penetration interactions
  • Interactive reports
  • Automated classifications of add-ons from the output of the tool, fully configurable by the user
  • Configurable risk classifications

The tool is available through the official OWASP platforms.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.