SlideShare a Scribd company logo

Owasp owtf the offensive (web) testing framework + ptes penetration testing execution standard = kali power auto web pentests

Download as ODP, PDF
Mauro Risonho de Paula Assumpcao
Mauro Risonho de Paula Assumpcao

Owasp owtf the offensive (web) testing framework + ptes penetration testing execution standard = kali power auto web pentests

Software
1 of 22
OWASP OWTF the Offensive (Web) Testing Framework + PTES Penetration Testing Execution Standard = Kali Power Auto Web Pentests! Mauro Risonho de Paula Assumpçao aka firebitsbr Sao Paulo, Brasil - 2014
$WHOIS Mauro Risonho de Paula Assumpção Especialista em SGTI pela ICTS Protiviti mauro.assumpcao@icts.com.br  Autodidata/Entusiasta/Pentester/Analista em Vulnerabilidades/ Security Researcher/Instrutor/Palestrante e Eterno Aprendiz de Conhecimentos •https://github.com/firebitsbr •https://www.linkedin.com •http://www.backtrack-linux.org •www.slideshare.net/firebits/ (migrando Google) •@firebitsbr •mauro.risonho@gmail.com mrpa.security@gmail.com •Google+ mauro.risonho / mrpa.security
Agenda ● OWTF Intro – Instalando OWTF com o Kali (apenas tools web) ● Executando OWTF – Parte 1: OWTF Passive + Semi-passive Web analysis – Parte 2: OWTF Active Web analysis – Parte 3: OWTF aux plugins – SE, IDs testing ● Conclusao ● Q&A
Email do Autor
Offensive (Web) Testing Framework = Multi-level “cheating” tactics
OWTF Chess-like approach Kasparov against Deep Blue - http://www.robotikka.com
Steps - http://cdimage.kali.org/kali-1.0.8/kali-linux-1.0.8-amd64.iso - http://docs.kali.org/network-install/kali-linux-network-mini-iso-install - https://www.owasp.org/index.php/OWASP_OWTF - github git clone git://github.com/owtf/owtf.git - OWTF 0.45.0 Winter Blizzard wget https://github.com/owtf/owtf/archive/v0.45.0_Winter_Blizzard.tar.gz tar -xvvf v0.45.0_Winter_Blizzard.tar.gz kali-linux-web = Kali Linux web app assessment tools (group install) apt-get install kali-linux-web -y
Install – via git #git clone https://github.com/owtf/owtf.git #cd /root/owtf/install #python install.py #YES, YES, YES...FOREVER!
Escolher opcao 1
Escolher “Y” YES
Acabou de instalar com sucesso! :)
Definir quais tools usar #vim /root/owtf/profiles/general/default.cfg Framework path: @@@FRAMEWORK_DIR@@@/tools/... #TOOL_WHATWEB: @@@FRAMEWORK_DIR@@@/tools/whatweb/whatweb- 0.4.7/whatweb TOOL_WHATWEB: @@@FRAMEWORK_DIR@@@/tools/restricted/whatweb/whatwe b-0.4.7/whatweb
OWTF CLI python owtf.py -h|more
Listar plugins OWTF - Web Attacks # python owtf.py -l web
Simulation mode Simulation mode “-s ”: 1) SIMULATES what OWTF will do (so it does not do it!): 2) Is useful to check the effect of a command before running it #python owtf.py -s https://accounts.google.com | more
DEMO python owtf.py www.google.com
Reports? ● file:///root/owtf/owtf_review/index.html –
DEMOS – Parte 1: OWTF Passive + Semi-passive Web analysis – Parte 2: OWTF Active Web analysis – Parte 3: OWTF aux plugins – SE, IDs testing
Conclusao ● OWASP OWTF um framework que automatiza e faz ganhar muito tempo em pentest(s) com foco em targets em web applications e infraweb, nas tarefas rotineiras, mas pentests customizados, apenas agrega um pouco mais valor, mas nao substitui o processo manual, inteligente e humano.
Duvidas?
$WHOIS Mauro Risonho de Paula Assumpção Especialista em SGTI pela ICTS Protiviti mauro.assumpcao@icts.com.br  Autodidata/Entusiasta/Pentester/Analista em Vulnerabilidades/ Security Researcher/Instrutor/Palestrante e Eterno Aprendiz de Conhecimentos •https://github.com/firebitsbr •https://www.linkedin.com •http://www.backtrack-linux.org •www.slideshare.net/firebits/ (migrando Google) •@firebitsbr •mauro.risonho@gmail.com mrpa.security@gmail.com •Google+ mauro.risonho / mrpa.security

Recommended

2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
2015 mindthesec mauro risonho de paula assumpcao rev01 firebits2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
Mauro Risonho de Paula Assumpcao
 
T3DD13 - Automated deployment for TYPO3 CMS (Workshop)
T3DD13 - Automated deployment for TYPO3 CMS (Workshop)T3DD13 - Automated deployment for TYPO3 CMS (Workshop)
T3DD13 - Automated deployment for TYPO3 CMS (Workshop)Tobias Liebig
 
Scalable Deployment Architectures with TYPO3 Surf, Git and Jenkins
Scalable Deployment Architectures with TYPO3 Surf, Git and JenkinsScalable Deployment Architectures with TYPO3 Surf, Git and Jenkins
Scalable Deployment Architectures with TYPO3 Surf, Git and Jenkins
mhelmich
 
Instant LAMP Stack with Vagrant and Puppet
Instant LAMP Stack with Vagrant and PuppetInstant LAMP Stack with Vagrant and Puppet
Instant LAMP Stack with Vagrant and Puppet
Patrick Lee
 
T3CON12 Flow and TYPO3 deployment with surf
T3CON12 Flow and TYPO3 deployment with surfT3CON12 Flow and TYPO3 deployment with surf
T3CON12 Flow and TYPO3 deployment with surf
Tobias Liebig
 
Building Open-source React Components
Building Open-source React ComponentsBuilding Open-source React Components
Building Open-source React Components
Zack Argyle
 
Building Open-Source React Components
Building Open-Source React ComponentsBuilding Open-Source React Components
Building Open-Source React Components
Zack Argyle
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
UTD Computer Security Group
 

Recommended

2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
2015 mindthesec mauro risonho de paula assumpcao rev01 firebits2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
Mauro Risonho de Paula Assumpcao
 
T3DD13 - Automated deployment for TYPO3 CMS (Workshop)
T3DD13 - Automated deployment for TYPO3 CMS (Workshop)T3DD13 - Automated deployment for TYPO3 CMS (Workshop)
T3DD13 - Automated deployment for TYPO3 CMS (Workshop)Tobias Liebig
 
Scalable Deployment Architectures with TYPO3 Surf, Git and Jenkins
Scalable Deployment Architectures with TYPO3 Surf, Git and JenkinsScalable Deployment Architectures with TYPO3 Surf, Git and Jenkins
Scalable Deployment Architectures with TYPO3 Surf, Git and Jenkins
mhelmich
 
Instant LAMP Stack with Vagrant and Puppet
Instant LAMP Stack with Vagrant and PuppetInstant LAMP Stack with Vagrant and Puppet
Instant LAMP Stack with Vagrant and Puppet
Patrick Lee
 
T3CON12 Flow and TYPO3 deployment with surf
T3CON12 Flow and TYPO3 deployment with surfT3CON12 Flow and TYPO3 deployment with surf
T3CON12 Flow and TYPO3 deployment with surf
Tobias Liebig
 
Building Open-source React Components
Building Open-source React ComponentsBuilding Open-source React Components
Building Open-source React Components
Zack Argyle
 
Building Open-Source React Components
Building Open-Source React ComponentsBuilding Open-Source React Components
Building Open-Source React Components
Zack Argyle
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
UTD Computer Security Group
 
Nullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk throughNullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk through
Anant Shrivastava
 
Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3
AOE
 
The typo3.org Relaunch Project
The typo3.org Relaunch ProjectThe typo3.org Relaunch Project
The typo3.org Relaunch Project
AOE
 
[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기
[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기
[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기
CONNECT FOUNDATION
 
5 best practices for (web/ software) development (2010)
5 best practices for (web/ software) development (2010)5 best practices for (web/ software) development (2010)
5 best practices for (web/ software) development (2010)
Erwin Elling
 
Erjang
ErjangErjang
ErjangJéferson Machado
 
Firefox os how large open source project works
Firefox os how large open source project worksFirefox os how large open source project works
Firefox os how large open source project works
Fred Lin
 
镐京入场培训.Key
镐京入场培训.Key镐京入场培训.Key
镐京入场培训.Key
Bean Tsang
 
Git and the inQbation Experience
Git and the inQbation ExperienceGit and the inQbation Experience
Git and the inQbation Experience
Blake Newman
 
Code analysis for a better future
Code analysis for a better futureCode analysis for a better future
Code analysis for a better future
gilforcada
 
[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠
[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠
[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠
CONNECT FOUNDATION
 
LicensePlist - A license list generator of all your dependencies for iOS appl...
LicensePlist - A license list generator of all your dependencies for iOS appl...LicensePlist - A license list generator of all your dependencies for iOS appl...
LicensePlist - A license list generator of all your dependencies for iOS appl...
将之 小野
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014
Anant Shrivastava
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
Null July - OWTF - Bharadwaj Machiraju
Null July - OWTF - Bharadwaj MachirajuNull July - OWTF - Bharadwaj Machiraju
Null July - OWTF - Bharadwaj Machiraju
Raghunath G
 
An introduction to Phing the PHP build system
An introduction to Phing the PHP build systemAn introduction to Phing the PHP build system
An introduction to Phing the PHP build system
Jeremy Coates
 
Phing
PhingPhing
Phing
Jeremy Coates
 
An introduction to Phing the PHP build system (PHPDay, May 2012)
An introduction to Phing the PHP build system (PHPDay, May 2012)An introduction to Phing the PHP build system (PHPDay, May 2012)
An introduction to Phing the PHP build system (PHPDay, May 2012)
Jeremy Coates
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 201510 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
Peter Sabev
 
c0c0n2010 -
c0c0n2010 - c0c0n2010 -
c0c0n2010 - Mauro Risonho de Paula Assumpcao
 
Developing Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & PythonDeveloping Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & Python
SmartBear
 

More Related Content

What's hot

Nullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk throughNullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk through
Anant Shrivastava
 
Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3
AOE
 
The typo3.org Relaunch Project
The typo3.org Relaunch ProjectThe typo3.org Relaunch Project
The typo3.org Relaunch Project
AOE
 
[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기
[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기
[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기
CONNECT FOUNDATION
 
5 best practices for (web/ software) development (2010)
5 best practices for (web/ software) development (2010)5 best practices for (web/ software) development (2010)
5 best practices for (web/ software) development (2010)
Erwin Elling
 
Firefox os how large open source project works
Firefox os how large open source project worksFirefox os how large open source project works
Firefox os how large open source project works
Fred Lin
 
镐京入场培训.Key
镐京入场培训.Key镐京入场培训.Key
镐京入场培训.Key
Bean Tsang
 
Git and the inQbation Experience
Git and the inQbation ExperienceGit and the inQbation Experience
Git and the inQbation Experience
Blake Newman
 
Code analysis for a better future
Code analysis for a better futureCode analysis for a better future
Code analysis for a better future
gilforcada
 
[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠
[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠
[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠
CONNECT FOUNDATION
 
LicensePlist - A license list generator of all your dependencies for iOS appl...
LicensePlist - A license list generator of all your dependencies for iOS appl...LicensePlist - A license list generator of all your dependencies for iOS appl...
LicensePlist - A license list generator of all your dependencies for iOS appl...
将之 小野
 

What's hot (12)

Nullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk throughNullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk through
 
Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3
 
The typo3.org Relaunch Project
The typo3.org Relaunch ProjectThe typo3.org Relaunch Project
The typo3.org Relaunch Project
 
[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기
[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기
[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기
 
5 best practices for (web/ software) development (2010)
5 best practices for (web/ software) development (2010)5 best practices for (web/ software) development (2010)
5 best practices for (web/ software) development (2010)
 
Erjang
ErjangErjang
Erjang
 
Firefox os how large open source project works
Firefox os how large open source project worksFirefox os how large open source project works
Firefox os how large open source project works
 
镐京入场培训.Key
镐京入场培训.Key镐京入场培训.Key
镐京入场培训.Key
 
Git and the inQbation Experience
Git and the inQbation ExperienceGit and the inQbation Experience
Git and the inQbation Experience
 
Code analysis for a better future
Code analysis for a better futureCode analysis for a better future
Code analysis for a better future
 
[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠
[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠
[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠
 
LicensePlist - A license list generator of all your dependencies for iOS appl...
LicensePlist - A license list generator of all your dependencies for iOS appl...LicensePlist - A license list generator of all your dependencies for iOS appl...
LicensePlist - A license list generator of all your dependencies for iOS appl...
 

Similar to Owasp owtf the offensive (web) testing framework + ptes penetration testing execution standard = kali power auto web pentests

Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014
Anant Shrivastava
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
Null July - OWTF - Bharadwaj Machiraju
Null July - OWTF - Bharadwaj MachirajuNull July - OWTF - Bharadwaj Machiraju
Null July - OWTF - Bharadwaj Machiraju
Raghunath G
 
An introduction to Phing the PHP build system
An introduction to Phing the PHP build systemAn introduction to Phing the PHP build system
An introduction to Phing the PHP build system
Jeremy Coates
 
Phing
PhingPhing
Phing
Jeremy Coates
 
An introduction to Phing the PHP build system (PHPDay, May 2012)
An introduction to Phing the PHP build system (PHPDay, May 2012)An introduction to Phing the PHP build system (PHPDay, May 2012)
An introduction to Phing the PHP build system (PHPDay, May 2012)
Jeremy Coates
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 201510 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
Peter Sabev
 
Developing Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & PythonDeveloping Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & Python
SmartBear
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec California
leifdreizler
 
Beyond QA
Beyond QABeyond QA
Beyond QA
gilforcada
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
Zack Meyers
 
Django getting start
Django getting startDjango getting start
Django getting start
shengwu83
 
PHP Conf Taiwan 2016 自動化與持續整合實作工作坊
PHP Conf Taiwan 2016 自動化與持續整合實作工作坊PHP Conf Taiwan 2016 自動化與持續整合實作工作坊
PHP Conf Taiwan 2016 自動化與持續整合實作工作坊
Chen Cheng-Wei
 
WebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testingWebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testing
Daniel Chivescu
 
Auto integration testing
Auto integration testingAuto integration testing
Auto integration testingArthur Yueh
 
Slim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sinkSlim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sink
Joe Ferguson
 
Advanced deployment scenarios (netcoreconf)
Advanced deployment scenarios (netcoreconf)Advanced deployment scenarios (netcoreconf)
Advanced deployment scenarios (netcoreconf)
Sergio Navarro Pino
 

Similar to Owasp owtf the offensive (web) testing framework + ptes penetration testing execution standard = kali power auto web pentests (20)

Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
Null July - OWTF - Bharadwaj Machiraju
Null July - OWTF - Bharadwaj MachirajuNull July - OWTF - Bharadwaj Machiraju
Null July - OWTF - Bharadwaj Machiraju
 
An introduction to Phing the PHP build system
An introduction to Phing the PHP build systemAn introduction to Phing the PHP build system
An introduction to Phing the PHP build system
 
Phing
PhingPhing
Phing
 
An introduction to Phing the PHP build system (PHPDay, May 2012)
An introduction to Phing the PHP build system (PHPDay, May 2012)An introduction to Phing the PHP build system (PHPDay, May 2012)
An introduction to Phing the PHP build system (PHPDay, May 2012)
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 201510 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
 
c0c0n2010 -
c0c0n2010 - c0c0n2010 -
c0c0n2010 -
 
Developing Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & PythonDeveloping Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & Python
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec California
 
Beyond QA
Beyond QABeyond QA
Beyond QA
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
Django getting start
Django getting startDjango getting start
Django getting start
 
PHP Conf Taiwan 2016 自動化與持續整合實作工作坊
PHP Conf Taiwan 2016 自動化與持續整合實作工作坊PHP Conf Taiwan 2016 自動化與持續整合實作工作坊
PHP Conf Taiwan 2016 自動化與持續整合實作工作坊
 
WebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testingWebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testing
 
Auto integration testing
Auto integration testingAuto integration testing
Auto integration testing
 
Slim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sinkSlim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sink
 
Advanced deployment scenarios (netcoreconf)
Advanced deployment scenarios (netcoreconf)Advanced deployment scenarios (netcoreconf)
Advanced deployment scenarios (netcoreconf)
 

More from Mauro Risonho de Paula Assumpcao

Árvores de decisão no FreeBSD com R - PagSeguro
Árvores de decisão no FreeBSD com R - PagSeguroÁrvores de decisão no FreeBSD com R - PagSeguro
Árvores de decisão no FreeBSD com R - PagSeguro
Mauro Risonho de Paula Assumpcao
 
BSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd
BSDDAY 2019 - Data Science e Artificial Intelligence usando FreebsdBSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd
BSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd
Mauro Risonho de Paula Assumpcao
 
Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs
Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTsTendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs
Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs
Mauro Risonho de Paula Assumpcao
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Mauro Risonho de Paula Assumpcao
 
OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)
OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)
OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)
Mauro Risonho de Paula Assumpcao
 
UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01
UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01
UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01
Mauro Risonho de Paula Assumpcao
 
Site blindado - Como tornar loja virtual mais segura e vender mais
Site blindado - Como tornar loja virtual mais segura e vender maisSite blindado - Como tornar loja virtual mais segura e vender mais
Site blindado - Como tornar loja virtual mais segura e vender mais
Mauro Risonho de Paula Assumpcao
 
Skyfall b sides-c00-l-ed5-sp-2013
Skyfall b sides-c00-l-ed5-sp-2013Skyfall b sides-c00-l-ed5-sp-2013
Skyfall b sides-c00-l-ed5-sp-2013
Mauro Risonho de Paula Assumpcao
 
Skyfall flisol-campinas-2013
Skyfall flisol-campinas-2013Skyfall flisol-campinas-2013
Skyfall flisol-campinas-2013
Mauro Risonho de Paula Assumpcao
 
Nessus Scanner Vulnerabilidades
Nessus Scanner VulnerabilidadesNessus Scanner Vulnerabilidades
Nessus Scanner Vulnerabilidades
Mauro Risonho de Paula Assumpcao
 
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...
Mauro Risonho de Paula Assumpcao
 
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTONullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Mauro Risonho de Paula Assumpcao
 
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTONullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Mauro Risonho de Paula Assumpcao
 
Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC
Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHCOficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC
Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC
Mauro Risonho de Paula Assumpcao
 
Backtrack 4 rc1 fatec mogi-mirim
Backtrack 4 rc1 fatec mogi-mirimBacktrack 4 rc1 fatec mogi-mirim
Backtrack 4 rc1 fatec mogi-mirim
Mauro Risonho de Paula Assumpcao
 
Backtrack 4 Rc1 Volcon2
Backtrack 4 Rc1 Volcon2Backtrack 4 Rc1 Volcon2
Backtrack 4 Rc1 Volcon2
Mauro Risonho de Paula Assumpcao
 
Backtrack 4 nessus
Backtrack 4 nessusBacktrack 4 nessus
Backtrack 4 nessus
Mauro Risonho de Paula Assumpcao
 
Backtrack4 inguma
Backtrack4 ingumaBacktrack4 inguma
Backtrack4 inguma
Mauro Risonho de Paula Assumpcao
 

More from Mauro Risonho de Paula Assumpcao (20)

Árvores de decisão no FreeBSD com R - PagSeguro
Árvores de decisão no FreeBSD com R - PagSeguroÁrvores de decisão no FreeBSD com R - PagSeguro
Árvores de decisão no FreeBSD com R - PagSeguro
 
BSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd
BSDDAY 2019 - Data Science e Artificial Intelligence usando FreebsdBSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd
BSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd
 
Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs
Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTsTendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs
Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
 
OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)
OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)
OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)
 
UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01
UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01
UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01
 
Site blindado - Como tornar loja virtual mais segura e vender mais
Site blindado - Como tornar loja virtual mais segura e vender maisSite blindado - Como tornar loja virtual mais segura e vender mais
Site blindado - Como tornar loja virtual mais segura e vender mais
 
Skyfall b sides-c00-l-ed5-sp-2013
Skyfall b sides-c00-l-ed5-sp-2013Skyfall b sides-c00-l-ed5-sp-2013
Skyfall b sides-c00-l-ed5-sp-2013
 
Skyfall flisol-campinas-2013
Skyfall flisol-campinas-2013Skyfall flisol-campinas-2013
Skyfall flisol-campinas-2013
 
2013 - 4 Google Open Source Jam
2013 - 4 Google Open Source Jam2013 - 4 Google Open Source Jam
2013 - 4 Google Open Source Jam
 
Nessus Scanner Vulnerabilidades
Nessus Scanner VulnerabilidadesNessus Scanner Vulnerabilidades
Nessus Scanner Vulnerabilidades
 
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...
 
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTONullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
 
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTONullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
 
Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC
Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHCOficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC
Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC
 
3 google open souce jam- a - hardening
3 google open souce jam- a - hardening3 google open souce jam- a - hardening
3 google open souce jam- a - hardening
 
Backtrack 4 rc1 fatec mogi-mirim
Backtrack 4 rc1 fatec mogi-mirimBacktrack 4 rc1 fatec mogi-mirim
Backtrack 4 rc1 fatec mogi-mirim
 
Backtrack 4 Rc1 Volcon2
Backtrack 4 Rc1 Volcon2Backtrack 4 Rc1 Volcon2
Backtrack 4 Rc1 Volcon2
 
Backtrack 4 nessus
Backtrack 4 nessusBacktrack 4 nessus
Backtrack 4 nessus
 
Backtrack4 inguma
Backtrack4 ingumaBacktrack4 inguma
Backtrack4 inguma
 

Recently uploaded

Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Jay Das
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
Srikant77
 

Recently uploaded (20)

Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfEnhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdf
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
 

Owasp owtf the offensive (web) testing framework + ptes penetration testing execution standard = kali power auto web pentests

  • 1. OWASP OWTF the Offensive (Web) Testing Framework + PTES Penetration Testing Execution Standard = Kali Power Auto Web Pentests! Mauro Risonho de Paula Assumpçao aka firebitsbr Sao Paulo, Brasil - 2014
  • 2. $WHOIS Mauro Risonho de Paula Assumpção Especialista em SGTI pela ICTS Protiviti mauro.assumpcao@icts.com.br  Autodidata/Entusiasta/Pentester/Analista em Vulnerabilidades/ Security Researcher/Instrutor/Palestrante e Eterno Aprendiz de Conhecimentos •https://github.com/firebitsbr •https://www.linkedin.com •http://www.backtrack-linux.org •www.slideshare.net/firebits/ (migrando Google) •@firebitsbr •mauro.risonho@gmail.com mrpa.security@gmail.com •Google+ mauro.risonho / mrpa.security
  • 3. Agenda ● OWTF Intro – Instalando OWTF com o Kali (apenas tools web) ● Executando OWTF – Parte 1: OWTF Passive + Semi-passive Web analysis – Parte 2: OWTF Active Web analysis – Parte 3: OWTF aux plugins – SE, IDs testing ● Conclusao ● Q&A
  • 5. Offensive (Web) Testing Framework = Multi-level “cheating” tactics
  • 6. OWTF Chess-like approach Kasparov against Deep Blue - http://www.robotikka.com
  • 7. Steps - http://cdimage.kali.org/kali-1.0.8/kali-linux-1.0.8-amd64.iso - http://docs.kali.org/network-install/kali-linux-network-mini-iso-install - https://www.owasp.org/index.php/OWASP_OWTF - github git clone git://github.com/owtf/owtf.git - OWTF 0.45.0 Winter Blizzard wget https://github.com/owtf/owtf/archive/v0.45.0_Winter_Blizzard.tar.gz tar -xvvf v0.45.0_Winter_Blizzard.tar.gz kali-linux-web = Kali Linux web app assessment tools (group install) apt-get install kali-linux-web -y
  • 8. Install – via git #git clone https://github.com/owtf/owtf.git #cd /root/owtf/install #python install.py #YES, YES, YES...FOREVER!
  • 11. Acabou de instalar com sucesso! :)
  • 12. Definir quais tools usar #vim /root/owtf/profiles/general/default.cfg Framework path: @@@FRAMEWORK_DIR@@@/tools/... #TOOL_WHATWEB: @@@FRAMEWORK_DIR@@@/tools/whatweb/whatweb- 0.4.7/whatweb TOOL_WHATWEB: @@@FRAMEWORK_DIR@@@/tools/restricted/whatweb/whatwe b-0.4.7/whatweb
  • 13.
  • 14. OWTF CLI python owtf.py -h|more
  • 15. Listar plugins OWTF - Web Attacks # python owtf.py -l web
  • 16. Simulation mode Simulation mode “-s ”: 1) SIMULATES what OWTF will do (so it does not do it!): 2) Is useful to check the effect of a command before running it #python owtf.py -s https://accounts.google.com | more
  • 17. DEMO python owtf.py www.google.com
  • 19. DEMOS – Parte 1: OWTF Passive + Semi-passive Web analysis – Parte 2: OWTF Active Web analysis – Parte 3: OWTF aux plugins – SE, IDs testing
  • 20. Conclusao ● OWASP OWTF um framework que automatiza e faz ganhar muito tempo em pentest(s) com foco em targets em web applications e infraweb, nas tarefas rotineiras, mas pentests customizados, apenas agrega um pouco mais valor, mas nao substitui o processo manual, inteligente e humano.
  • 22. $WHOIS Mauro Risonho de Paula Assumpção Especialista em SGTI pela ICTS Protiviti mauro.assumpcao@icts.com.br  Autodidata/Entusiasta/Pentester/Analista em Vulnerabilidades/ Security Researcher/Instrutor/Palestrante e Eterno Aprendiz de Conhecimentos •https://github.com/firebitsbr •https://www.linkedin.com •http://www.backtrack-linux.org •www.slideshare.net/firebits/ (migrando Google) •@firebitsbr •mauro.risonho@gmail.com mrpa.security@gmail.com •Google+ mauro.risonho / mrpa.security