Hackers of India

OWASP: OWTF

By Bharadwaj Machiraju on 24 Sep 2014 @ Brucon
💻 Source Code 📹 Video 🔗 Link
#security-assessment #application-pentesting #dynamic-analysis #security-tools #owasp
Focus Areas: 🔐 Application Security , ⚙️ DevSecOps , 🦠 Malware Analysis , 🎯 Penetration Testing , 🔍 Vulnerability Management , 🌐 Web Application Security
This talk covers following tools where the speaker has contributed or authored
OWTF

Presentation Material

Abstract

Website
Github Pages

AI Generated Summary

The presentation introduces the Offensive Web Testing Framework (OWTF), a comprehensive tool designed to integrate and streamline web application security testing. OWTF addresses common tester requirements by providing a unified browser-based interface that eliminates manual command-line interaction, centralizes storage of test data, and aggregates all HTTP transactions from various tools into a single, searchable log.

Key features include a plugin system that categorizes tests (passive, active, network) based on standards like OWASP Testing Guide, a robust transaction log with advanced search capabilities (by response code, headers, body content, or URL), and a checklist system to track coverage. A custom high-performance proxy records every request, and a worker management system allows pausing, resuming, or reordering running plugins—addressing issues like network interruptions. The framework also automates report generation and knowledge resource linking.

Two integrated tools are highlighted: Botnet Mode, which rotates user IPs via proxy lists or Tor to evade IP-based blocking during tests, and W Bypasser, which automates Web Application Firewall (WAF) bypass by detecting filtered characters and encoding payloads, including identification of WAF rule zero-days.

Finally, the talk details a significant codebase refactoring applying SOLID principles—specifically single responsibility, interface segregation, and dependency inversion—to reduce coupling and improve maintainability. This involved introducing a service locator pattern, abstract base classes to enforce component contracts, and automated dependency resolution, making the framework more extensible and sustainable for long-term development.

Practical implications include reduced manual overhead, comprehensive audit trails, resilience during long-running tests, and a foundation for adding new tools or checks without architectural overhaul. The project emphasizes usability for testers while maintaining engineering rigor for developers.

Disclaimer: This summary was auto-generated from the video transcript using AI and may contain inaccuracies. It is intended as a quick overview — always refer to the original talk for authoritative content. Learn more about our AI experiments.