It has been a long wait, but finally, OWTF 2.0a “Tikka Masala” is here!

Although partly a tribute to delicious Indian food, this release is especially dedicated to all those hard working Indian contributors who have continously demonstrated their passion, professionalism, brainpower and incredible performance, without which OWTF would not be the awesome tool it is today. This release is named after all of you, thank you!

IMPORTANT: Migrating from 1.0.1 to 2.0a includes breaking changes and requires a complete DB clean and initialisation – use the installer and the script scripts/db_setup.sh to do that. If you are already on the develop branch , you can directly pull the latest changes.

Therefore, if you are coming from an old OWTF version, please run the following commands after downloading OWTF 2.0:

WARNING: This will delete everything in your OWTF database!

bash scripts/db_setup.sh clean bash scripts/db_setup.sh init

New to OWTF? No problem!

Get it here 🙂





Release Notes





This release includes many new features and countless bug fixes. This release would not have been possible without the help of a number of pre-GSoC contributors, mentors, and everybody who sent us cool ideas, feedback or reported bugs. In particular, this release is dedicated to our Indian contributors without whom this release would not have been possible. As a wrapper tool that depends on many tools, migration from Kali 1.x to Kali 2.x was a little bumpy: this road saw more bugs fixes/reports from new contributors and users, occasional feature requests and countless fixes (that were long due) which made this release possible.

Important Features and fixes

Kali 2.x support

Functional tests suite included => build passing(!)

Progress bar added to the web interface

HTTPrint signatures updated

Updated CMS Explorer lists

Minimal auxiliary plugin support added back

SSL Labs API integration

Resolves SQLAlchemy deadlock and improved proxy handling

Fixes all Metasploit plugin functionality

General UI improvements

CWE and OWASP Top 10 mappings

Improved worker UI controls = adds Pause All, Resume All functionality

Supports Debian-based distributions

Target manager UI improvements = bulk delete/remove

Implemented enhancements:

xxx_testgroups.cfg should be moved to /profiles #670

OWTF takes few steps to start #638

Session Modal breaks for large session names #635

Check for tools before running commands #632

Adding Issue and Pull Request templates #599

Debian and Samurai install scripts are not executable. #573

Increase readability of manual installation output on terminal. #564

Installer Issues #534

Passive google searches should use @@ @domain @@@ instead of @@@host_path@@@ #529

Increase proxy CA security #526

Add https://censys.io/ to the passive search #523

install/install.py skip sudo password #519

Using a remote server #510

potential command to add to the install scripts (develop branch) #473

Timestamps not present in transaction log #472

Evaluate the possible implementation of JS templating for all client-side OWTF interactions #467

External XSS plugin resource: XSS Payloads #466

What is the hurdle in doing passive scan’s #464

Rank should collapse the plugin, at least in some cases #459

Suggested improvements for the transaction log #458

Integration with punk spider for passive tests #457

Clean up colours from various tools prior to saving it in a file #456

Export targets feature (UI) #454

Lack of filters on target page (UI) #453

Improve curl commands #446

CPU spikes: Lack of Indexing on OWTF db? #444

Add “Pause All / Resume All” to the worker monitoring #440

Review OWTF CPU usage post-DirBuster #437

Smarter Runner #430

Unable to “delete all” from worklist on UI #427

OWTF should check if postgresql client is installed as well #413

External Command Injection plugin link #412

Mobile responsive #406

[develop] OWTF should start NET plugins when target is an IP #375

ImportError: No module named backports.ssl_match_hostname #374

Settings > HTTP AUTH #369

Setup gemnasium #358

Worklist search boxes should not be case sensitive #355

Automated Bug reporter improvement #352

Possible improvement for the UI worker buttons #350

Minor intuitiveness improvements #349

Arachni changed from –user-agent to –http-user-agent #347

Ensure running postgres before running install script #337

Issues on Ubuntu #334

OWTF should check if postgres is running #311

[zest] Updating the zest jars #293

[wapiti] HTML report is not available anymore #287

Moving external plugin reports away from targets subreports #111

Check if the service that is going to be scanned speaks HTTP before launching ANY web test #108

filter by severity feature added #576 ( saganshul )

Fixed bugs