Building Offensive Web Security Framework in Python
Bharadwaj Machiraju (~tunnelshade) |
There are lots of good tools out there which facilitate security testing of web applications for different class of vulnerabilities. As a penetration tester or a developer, running these tools along with some custom tests is always a requirement. Calling those tools by remembering their command line arguments or organising the collected data is a difficult task. Repeating this task multiple times manually might make you go crazy. As this is Pycon, python comes for the rescue.
Offensive Web Testing Framework is a security testing framework built using python to solve the above mentioned problem. The aim of the talk is to show that python can be used for creating such a solution. Audience will look at the internals of OWTF along with some modules like
- a fast MiTM HTTP(S) proxy
- a WAF fuzzer
- an ajax crawler
- a tool result parsing library etc...
A brief list of topics that will be presented are:
- OWTF Architecture and used python libraries
- Implementation and Categorisation of security tests
- Assembling tool outputs and parsing them using python
- Writing your own tests
- Integrating OWTF into your development cycle
- Lessons learnt during the development of OWTF
- Tips for building a similar framework or contributing towards OWTF!
Finally, after the talk a keen listener will be able to
- Get some basic idea on building security tools/tests using python.
- Create a simple web testing framwork or utilities.
- Learn about some famous security tools.
- Basic python
- Understanding of basic HTTP is helpful & Web application development experience is a big plus
Some links of the project:
Bharadwaj Machiraju is an Electronics Engineering student by fate but Information Security Enthusiast by choice, and is interested in building web application security testing tools using python. Project leader of OWASP OWTF. His latest tool is Flashbang, an open source flash security helper. Presented at couple of conferences (BruCON 2014 & NULLCON 2014). Apart from information security, he is interested in sleeping, mnemonic techniques & machine learning.