OWTF aims to make pen testing:
- Aligned with OWASP Testing Guide + PTES + NIST
- More efficient
- More comprehensive
- More creative and fun (minimise un-creative work)
so that pentesters will have more time to
- See the big picture and think out of the box
- More efficiently find, verify and combine vulnerabilities
- Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions
- Perform more tactical/targeted fuzzing on seemingly risky areas
- Demonstrate true impact despite the short timeframes we are typically given to test.
The tool is highly configurable and anybody can trivially create simple plugins or add new tests in the configuration files without having any development experience.
OWTF uses “Scumbag spidering“, ie. instead of implementing yet another spider (a hard job), OWTF will scrub the output of all tools/plugins run to gather as many URLs as possible.
This is somewhat “cheating” but tremendously effective since it combines the results of different tools, including several tools that perform brute forcing of files and directories.
If one tool crashes OWTF, will move on to the next tool/test, saving the partial output of the tool until it crashed. OWTF also allow you to monitor worker processes and estimated plugin runtimes.
If your internet connectivity or the target host goes down during an assessment, you can pause the relevant worker processes and resume them later avoiding losing data to little as possible.