https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Munir+NjiruOWASP - User contributions [en]2026-04-29T06:42:54ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Kenya&diff=219343Kenya2016-07-26T13:06:02Z<p>Munir Njiru: </p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru] and [mailto:Alex.mathenge@owasp.org Alex Mathenge] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
'''28th- 29th July 2016''' - 3rd Annual Africahackon conference. You can download the conference program here[http://africahackon.com/wp-content/uploads/2016/07/AfricaHackOn-3rd-Conference-Schedule-2016-latest.pdf]<br />
<br />
'''1st- 2nd April 2016''' - OWASP Kenyan Chapter and Africahackon will be holding a bootcamp at Multimedia University of Kenya in line with the plan to get information security to the young at heart so that we have more professionals in industry. <br />
<br />
'''20th-21st November 2015'''<br />
<br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University<br />
<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
overed<br />
====Security Events====<br />
=Africahackon 2016= <br />
'''Event Date: 28th -29th July 2016'''<br />
<br />
Africahackon is East Africa’s premier technical computer security collective which brings together the individual talents of the best and brightest security professionals in the region, through live presentations, engaging discussions and hands on demonstrations. We are connoisseurs in a full range of defensive and offensive security topics are well versed in the theoretical aspect of cyber security and masters on the practical and tactical angle of the art.<br />
<br />
Download the Conference Program [http://africahackon.com/wp-content/uploads/2016/07/AfricaHackOn-3rd-Conference-Schedule-2016-latest.pdf http://africahackon.com/wp-content/uploads/2016/07/AfricaHackOn-3rd-Conference-Schedule-2016-latest.pdf].<br />
<br />
Get the tickets here [https://www.ticketsasa.com/events/eventdetail/view/2062/index.php https://www.ticketsasa.com/events/eventdetail/view/2062/index.php].<br />
=Multimedia University Bootcamp 2016= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at Multimedia University of Kenya (MMU) this year on 1st & 2nd of April. This marks the first Bootcamp at the University in the series of bootcamps across local universities. It will aim to raise more security aware individuals as they join the fields in development, forensics, offensive security etc. The key topics to be covered are: <br />
<br />
* Linux 101<br />
* Google Hacking <br />
* Android Forensics<br />
* Network Security<br />
* Web Security<br />
* GSM Security<br />
* Malware Analysis<br />
<br />
=JKUAT Bootcamp 2015= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University this year. This marks it as the second bootcamp to grace the university. For more information on the training sessions taking place visit the [http://africahackon.com/africa/training Africahackon Website] The schedule of topics to be taught that day can be downloaded [http://www.africahackon.com/assets/bootcamps/Bootcamp_Schedule_JKUAT.pdf here].<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=219342Kenya2016-07-26T13:05:47Z<p>Munir Njiru: </p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru] and [mailto:Alex.mathenge@owasp.org Alex Mathenge] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
'''28th- 29th July 2016''' - 3rd Annual Africahackon conference. You can download the conference program here[http://africahackon.com/wp-content/uploads/2016/07/AfricaHackOn-3rd-Conference-Schedule-2016-latest.pdf]<br />
<br />
'''1st- 2nd April 2016''' - OWASP Kenyan Chapter and Africahackon will be holding a bootcamp at Multimedia University of Kenya in line with the plan to get information security to the young at heart so that we have more professionals in industry. <br />
<br />
'''20th-21st November 2015'''<br />
<br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University<br />
<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
overed<br />
====Security Events====<br />
=Africahackon 2016= <br />
'''Event Date: 28th -29th July 2016'''<br />
Africahackon is East Africa’s premier technical computer security collective which brings together the individual talents of the best and brightest security professionals in the region, through live presentations, engaging discussions and hands on demonstrations. We are connoisseurs in a full range of defensive and offensive security topics are well versed in the theoretical aspect of cyber security and masters on the practical and tactical angle of the art.<br />
<br />
Download the Conference Program [http://africahackon.com/wp-content/uploads/2016/07/AfricaHackOn-3rd-Conference-Schedule-2016-latest.pdf http://africahackon.com/wp-content/uploads/2016/07/AfricaHackOn-3rd-Conference-Schedule-2016-latest.pdf].<br />
<br />
Get the tickets here [https://www.ticketsasa.com/events/eventdetail/view/2062/index.php https://www.ticketsasa.com/events/eventdetail/view/2062/index.php].<br />
=Multimedia University Bootcamp 2016= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at Multimedia University of Kenya (MMU) this year on 1st & 2nd of April. This marks the first Bootcamp at the University in the series of bootcamps across local universities. It will aim to raise more security aware individuals as they join the fields in development, forensics, offensive security etc. The key topics to be covered are: <br />
<br />
* Linux 101<br />
* Google Hacking <br />
* Android Forensics<br />
* Network Security<br />
* Web Security<br />
* GSM Security<br />
* Malware Analysis<br />
<br />
=JKUAT Bootcamp 2015= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University this year. This marks it as the second bootcamp to grace the university. For more information on the training sessions taking place visit the [http://africahackon.com/africa/training Africahackon Website] The schedule of topics to be taught that day can be downloaded [http://www.africahackon.com/assets/bootcamps/Bootcamp_Schedule_JKUAT.pdf here].<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=219341Kenya2016-07-26T13:05:16Z<p>Munir Njiru: </p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru] and [mailto:Alex.mathenge@owasp.org Alex Mathenge] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
'''28th- 29th July 2016''' - 3rd Annual Africahackon conference. You can download the conference program here[http://africahackon.com/wp-content/uploads/2016/07/AfricaHackOn-3rd-Conference-Schedule-2016-latest.pdf]<br />
<br />
'''1st- 2nd April 2016''' - OWASP Kenyan Chapter and Africahackon will be holding a bootcamp at Multimedia University of Kenya in line with the plan to get information security to the young at heart so that we have more professionals in industry. <br />
<br />
'''20th-21st November 2015'''<br />
<br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University<br />
<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
overed<br />
====Security Events====<br />
=Africahackon 2016= <br />
Africahackon is East Africa’s premier technical computer security collective which brings together the individual talents of the best and brightest security professionals in the region, through live presentations, engaging discussions and hands on demonstrations. We are connoisseurs in a full range of defensive and offensive security topics are well versed in the theoretical aspect of cyber security and masters on the practical and tactical angle of the art.<br />
<br />
Download the Conference Program [http://africahackon.com/wp-content/uploads/2016/07/AfricaHackOn-3rd-Conference-Schedule-2016-latest.pdf http://africahackon.com/wp-content/uploads/2016/07/AfricaHackOn-3rd-Conference-Schedule-2016-latest.pdf].<br />
<br />
Get the tickets here [https://www.ticketsasa.com/events/eventdetail/view/2062/index.php https://www.ticketsasa.com/events/eventdetail/view/2062/index.php].<br />
=Multimedia University Bootcamp 2016= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at Multimedia University of Kenya (MMU) this year on 1st & 2nd of April. This marks the first Bootcamp at the University in the series of bootcamps across local universities. It will aim to raise more security aware individuals as they join the fields in development, forensics, offensive security etc. The key topics to be covered are: <br />
<br />
* Linux 101<br />
* Google Hacking <br />
* Android Forensics<br />
* Network Security<br />
* Web Security<br />
* GSM Security<br />
* Malware Analysis<br />
<br />
=JKUAT Bootcamp 2015= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University this year. This marks it as the second bootcamp to grace the university. For more information on the training sessions taking place visit the [http://africahackon.com/africa/training Africahackon Website] The schedule of topics to be taught that day can be downloaded [http://www.africahackon.com/assets/bootcamps/Bootcamp_Schedule_JKUAT.pdf here].<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=219340Kenya2016-07-26T13:03:46Z<p>Munir Njiru: </p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru] and [mailto:Alex.mathenge@owasp.org Alex Mathenge] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
'''28th- 29th July 2016''' - 3rd Annual Africahackon conference. You can download the conference program here[http://africahackon.com/wp-content/uploads/2016/07/AfricaHackOn-3rd-Conference-Schedule-2016-latest.pdf]<br />
<br />
'''1st- 2nd April 2016''' - OWASP Kenyan Chapter and Africahackon will be holding a bootcamp at Multimedia University of Kenya in line with the plan to get information security to the young at heart so that we have more professionals in industry. <br />
<br />
'''20th-21st November 2015'''<br />
<br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University<br />
<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
overed<br />
====Security Events====<br />
=Africahackon 2016= <br />
Africahackon is East Africa’s premier technical computer security collective which brings together the individual talents of the best and brightest security professionals in the region, through live presentations, engaging discussions and hands on demonstrations. We are connoisseurs in a full range of defensive and offensive security topics are well versed in the theoretical aspect of cyber security and masters on the practical and tactical angle of the art.<br />
<br />
Download the [http://africahackon.com/wp-content/uploads/2016/07/AfricaHackOn-3rd-Conference-Schedule-2016-latest.pdf http://africahackon.com/wp-content/uploads/2016/07/AfricaHackOn-3rd-Conference-Schedule-2016-latest.pdf Conference Program].<br />
<br />
Get the tickets [https://www.ticketsasa.com/events/eventdetail/view/2062/index.php https://www.ticketsasa.com/events/eventdetail/view/2062/index.php here].<br />
=Multimedia University Bootcamp 2016= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at Multimedia University of Kenya (MMU) this year on 1st & 2nd of April. This marks the first Bootcamp at the University in the series of bootcamps across local universities. It will aim to raise more security aware individuals as they join the fields in development, forensics, offensive security etc. The key topics to be covered are: <br />
<br />
* Linux 101<br />
* Google Hacking <br />
* Android Forensics<br />
* Network Security<br />
* Web Security<br />
* GSM Security<br />
* Malware Analysis<br />
<br />
=JKUAT Bootcamp 2015= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University this year. This marks it as the second bootcamp to grace the university. For more information on the training sessions taking place visit the [http://africahackon.com/africa/training Africahackon Website] The schedule of topics to be taught that day can be downloaded [http://www.africahackon.com/assets/bootcamps/Bootcamp_Schedule_JKUAT.pdf here].<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=219338Kenya2016-07-26T13:01:07Z<p>Munir Njiru: /* Local News */</p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru] and [mailto:Alex.mathenge@owasp.org Alex Mathenge] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
'''28th- 29th July 2016''' - 3rd Annual Africahackon conference. You can download the conference program here[http://africahackon.com/wp-content/uploads/2016/07/AfricaHackOn-3rd-Conference-Schedule-2016-latest.pdf]<br />
<br />
'''1st- 2nd April 2016''' - OWASP Kenyan Chapter and Africahackon will be holding a bootcamp at Multimedia University of Kenya in line with the plan to get information security to the young at heart so that we have more professionals in industry. <br />
<br />
'''20th-21st November 2015'''<br />
<br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University<br />
<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
overed<br />
====Security Events====<br />
<br />
=Multimedia University Bootcamp 2016= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at Multimedia University of Kenya (MMU) this year on 1st & 2nd of April. This marks the first Bootcamp at the University in the series of bootcamps across local universities. It will aim to raise more security aware individuals as they join the fields in development, forensics, offensive security etc. The key topics to be covered are: <br />
<br />
* Linux 101<br />
* Google Hacking <br />
* Android Forensics<br />
* Network Security<br />
* Web Security<br />
* GSM Security<br />
* Malware Analysis<br />
<br />
=JKUAT Bootcamp 2015= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University this year. This marks it as the second bootcamp to grace the university. For more information on the training sessions taking place visit the [http://africahackon.com/africa/training Africahackon Website] The schedule of topics to be taught that day can be downloaded [http://www.africahackon.com/assets/bootcamps/Bootcamp_Schedule_JKUAT.pdf here].<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=219337Kenya2016-07-26T11:57:46Z<p>Munir Njiru: /* Local News */</p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru] and [mailto:Alex.mathenge@owasp.org Alex Mathenge] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
'''28th- 29th July 2016''' - 3rd Annual Africahackon conference. <br />
'''1st- 2nd April 2016''' - OWASP Kenyan Chapter and Africahackon will be holding a bootcamp at Multimedia University of Kenya in line with the plan to get information security to the young at heart so that we have more professionals in industry. <br />
<br />
'''20th-21st November 2015'''<br />
<br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University<br />
<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
overed<br />
====Security Events====<br />
<br />
=Multimedia University Bootcamp 2016= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at Multimedia University of Kenya (MMU) this year on 1st & 2nd of April. This marks the first Bootcamp at the University in the series of bootcamps across local universities. It will aim to raise more security aware individuals as they join the fields in development, forensics, offensive security etc. The key topics to be covered are: <br />
<br />
* Linux 101<br />
* Google Hacking <br />
* Android Forensics<br />
* Network Security<br />
* Web Security<br />
* GSM Security<br />
* Malware Analysis<br />
<br />
=JKUAT Bootcamp 2015= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University this year. This marks it as the second bootcamp to grace the university. For more information on the training sessions taking place visit the [http://africahackon.com/africa/training Africahackon Website] The schedule of topics to be taught that day can be downloaded [http://www.africahackon.com/assets/bootcamps/Bootcamp_Schedule_JKUAT.pdf here].<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=212736OWASP Mth3l3m3nt Framework Project2016-04-08T12:30:59Z<p>Munir Njiru: /* Videos */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* Cookie Theft Database Module for potency in stored XSS attacks. <br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
==Project Website==<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
<br />
== Related Projects ==<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Videos==<br />
View the videos tab for an up to date list of videos.<br />
<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/framework-docs/ Developer Guide]<br />
<br />
==Issue Tracker==<br />
[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/issues Submit Issues/Bugs/Feature Requests]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
== Mailing List== <br />
[https://lists.owasp.org/mailman/listinfo/owasp-mth3l3m3nt-framework-project Mailing List]<br />
<br />
==Updates==<br />
* Apr-04-2016: Added a cookie theft database module to enable XSS attacks become more potent. <br />
* Nov-30-2015: Created and Updated [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation of OMF on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Nginx) Installation of OMF on Linux running Nginx]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Lighttpd) Installation of OMF on Linux running Lighttpd]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation of OMF on Windows running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payloads-Module Using the Payloads Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Generic-Requests-Module Using the Generic Requests Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Shell-Generator-Module Using the Shell Generator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payload-Encoder-&-Decoder-Modules Using the Payload Encoder & Decoder Modules]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Client-Side-Obfuscator-Module Using the Client Side Obfuscator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/String-Tools-Module Using the String Tools Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/LFI-Exploits-Module Using the LFI Exploit Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Web-Herd-Module-(HTTP-Bot) Using the Web Herd Module (HTTP Bot)]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI Exploit Plugins]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Using-The-Cookie-Theft-Module Using the Cookie Theft Module]<br />
<br />
= Videos =<br />
* [https://www.youtube.com/watch?v=ETnAmV3dxRE OWASP Mth3l3m3nt Framework vs bWAPP (Stored XSS Case)]<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA OWASP Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
* [https://www.youtube.com/watch?v=QjBbrNtCx3A OWASP Mth3l3m3nt Framework Windows Installation]<br />
* [https://www.youtube.com/watch?v=_Nw05Q3fc2A OWASP Mth3l3m3nt Framework Linux Installation]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. A special thanks should be in order for the Pentest-tools team that inspired the Cookie theft module. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/HEAD/TRACE/OPTIONS/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=212735OWASP Mth3l3m3nt Framework Project2016-04-08T12:30:01Z<p>Munir Njiru: /* Videos */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* Cookie Theft Database Module for potency in stored XSS attacks. <br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
==Project Website==<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
<br />
== Related Projects ==<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Videos==<br />
[https://www.owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project#Videos_2 Click Here for Videos]<br />
<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/framework-docs/ Developer Guide]<br />
<br />
==Issue Tracker==<br />
[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/issues Submit Issues/Bugs/Feature Requests]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
== Mailing List== <br />
[https://lists.owasp.org/mailman/listinfo/owasp-mth3l3m3nt-framework-project Mailing List]<br />
<br />
==Updates==<br />
* Apr-04-2016: Added a cookie theft database module to enable XSS attacks become more potent. <br />
* Nov-30-2015: Created and Updated [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation of OMF on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Nginx) Installation of OMF on Linux running Nginx]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Lighttpd) Installation of OMF on Linux running Lighttpd]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation of OMF on Windows running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payloads-Module Using the Payloads Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Generic-Requests-Module Using the Generic Requests Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Shell-Generator-Module Using the Shell Generator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payload-Encoder-&-Decoder-Modules Using the Payload Encoder & Decoder Modules]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Client-Side-Obfuscator-Module Using the Client Side Obfuscator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/String-Tools-Module Using the String Tools Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/LFI-Exploits-Module Using the LFI Exploit Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Web-Herd-Module-(HTTP-Bot) Using the Web Herd Module (HTTP Bot)]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI Exploit Plugins]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Using-The-Cookie-Theft-Module Using the Cookie Theft Module]<br />
<br />
= Videos =<br />
* [https://www.youtube.com/watch?v=ETnAmV3dxRE OWASP Mth3l3m3nt Framework vs bWAPP (Stored XSS Case)]<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA OWASP Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
* [https://www.youtube.com/watch?v=QjBbrNtCx3A OWASP Mth3l3m3nt Framework Windows Installation]<br />
* [https://www.youtube.com/watch?v=_Nw05Q3fc2A OWASP Mth3l3m3nt Framework Linux Installation]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. A special thanks should be in order for the Pentest-tools team that inspired the Cookie theft module. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/HEAD/TRACE/OPTIONS/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=212734OWASP Mth3l3m3nt Framework Project2016-04-08T12:29:13Z<p>Munir Njiru: /* Videos */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* Cookie Theft Database Module for potency in stored XSS attacks. <br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
==Project Website==<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
<br />
== Related Projects ==<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Videos==<br />
View the Videos tab for an up to date list of videos in relation to Mth3l3m3nt <br />
<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/framework-docs/ Developer Guide]<br />
<br />
==Issue Tracker==<br />
[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/issues Submit Issues/Bugs/Feature Requests]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
== Mailing List== <br />
[https://lists.owasp.org/mailman/listinfo/owasp-mth3l3m3nt-framework-project Mailing List]<br />
<br />
==Updates==<br />
* Apr-04-2016: Added a cookie theft database module to enable XSS attacks become more potent. <br />
* Nov-30-2015: Created and Updated [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation of OMF on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Nginx) Installation of OMF on Linux running Nginx]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Lighttpd) Installation of OMF on Linux running Lighttpd]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation of OMF on Windows running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payloads-Module Using the Payloads Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Generic-Requests-Module Using the Generic Requests Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Shell-Generator-Module Using the Shell Generator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payload-Encoder-&-Decoder-Modules Using the Payload Encoder & Decoder Modules]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Client-Side-Obfuscator-Module Using the Client Side Obfuscator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/String-Tools-Module Using the String Tools Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/LFI-Exploits-Module Using the LFI Exploit Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Web-Herd-Module-(HTTP-Bot) Using the Web Herd Module (HTTP Bot)]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI Exploit Plugins]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Using-The-Cookie-Theft-Module Using the Cookie Theft Module]<br />
<br />
= Videos =<br />
* [https://www.youtube.com/watch?v=ETnAmV3dxRE OWASP Mth3l3m3nt Framework vs bWAPP (Stored XSS Case)]<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA OWASP Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
* [https://www.youtube.com/watch?v=QjBbrNtCx3A OWASP Mth3l3m3nt Framework Windows Installation]<br />
* [https://www.youtube.com/watch?v=_Nw05Q3fc2A OWASP Mth3l3m3nt Framework Linux Installation]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. A special thanks should be in order for the Pentest-tools team that inspired the Cookie theft module. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/HEAD/TRACE/OPTIONS/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=212733OWASP Mth3l3m3nt Framework Project2016-04-08T12:27:53Z<p>Munir Njiru: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* Cookie Theft Database Module for potency in stored XSS attacks. <br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
==Project Website==<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
<br />
== Related Projects ==<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Videos==<br />
View the Videos tab for an up to date list of videos in relation to Mth3l3m3nt <br />
<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/framework-docs/ Developer Guide]<br />
<br />
==Issue Tracker==<br />
[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/issues Submit Issues/Bugs/Feature Requests]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
== Mailing List== <br />
[https://lists.owasp.org/mailman/listinfo/owasp-mth3l3m3nt-framework-project Mailing List]<br />
<br />
==Updates==<br />
* Apr-04-2016: Added a cookie theft database module to enable XSS attacks become more potent. <br />
* Nov-30-2015: Created and Updated [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation of OMF on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Nginx) Installation of OMF on Linux running Nginx]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Lighttpd) Installation of OMF on Linux running Lighttpd]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation of OMF on Windows running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payloads-Module Using the Payloads Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Generic-Requests-Module Using the Generic Requests Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Shell-Generator-Module Using the Shell Generator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payload-Encoder-&-Decoder-Modules Using the Payload Encoder & Decoder Modules]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Client-Side-Obfuscator-Module Using the Client Side Obfuscator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/String-Tools-Module Using the String Tools Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/LFI-Exploits-Module Using the LFI Exploit Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Web-Herd-Module-(HTTP-Bot) Using the Web Herd Module (HTTP Bot)]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI Exploit Plugins]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Using-The-Cookie-Theft-Module Using the Cookie Theft Module]<br />
<br />
= Videos =<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA OMF in Africahackon 2015 CTF]<br />
* [https://www.youtube.com/watch?v=QjBbrNtCx3A OMF Windows Installation]<br />
* [https://www.youtube.com/watch?v=_Nw05Q3fc2A OMF Linux Installation]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. A special thanks should be in order for the Pentest-tools team that inspired the Cookie theft module. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/HEAD/TRACE/OPTIONS/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=212732OWASP Mth3l3m3nt Framework Project2016-04-08T12:24:44Z<p>Munir Njiru: /* Contributors */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* Cookie Theft Database Module for potency in stored XSS attacks. <br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
==Project Website==<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
<br />
== Related Projects ==<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Videos==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA OMF in Africahackon 2015 CTF]<br />
* [https://www.youtube.com/watch?v=QjBbrNtCx3A OMF Windows Installation]<br />
* [https://www.youtube.com/watch?v=_Nw05Q3fc2A OMF Linux Installation]<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/framework-docs/ Developer Guide]<br />
<br />
==Issue Tracker==<br />
[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/issues Submit Issues/Bugs/Feature Requests]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
== Mailing List== <br />
[https://lists.owasp.org/mailman/listinfo/owasp-mth3l3m3nt-framework-project Mailing List]<br />
<br />
==Updates==<br />
* Apr-04-2016: Added a cookie theft database module to enable XSS attacks become more potent. <br />
* Nov-30-2015: Created and Updated [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation of OMF on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Nginx) Installation of OMF on Linux running Nginx]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Lighttpd) Installation of OMF on Linux running Lighttpd]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation of OMF on Windows running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payloads-Module Using the Payloads Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Generic-Requests-Module Using the Generic Requests Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Shell-Generator-Module Using the Shell Generator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payload-Encoder-&-Decoder-Modules Using the Payload Encoder & Decoder Modules]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Client-Side-Obfuscator-Module Using the Client Side Obfuscator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/String-Tools-Module Using the String Tools Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/LFI-Exploits-Module Using the LFI Exploit Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Web-Herd-Module-(HTTP-Bot) Using the Web Herd Module (HTTP Bot)]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI Exploit Plugins]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Using-The-Cookie-Theft-Module Using the Cookie Theft Module]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. A special thanks should be in order for the Pentest-tools team that inspired the Cookie theft module. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/HEAD/TRACE/OPTIONS/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=212731OWASP Mth3l3m3nt Framework Project2016-04-08T12:23:56Z<p>Munir Njiru: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* Cookie Theft Database Module for potency in stored XSS attacks. <br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
==Project Website==<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
<br />
== Related Projects ==<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Videos==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA OMF in Africahackon 2015 CTF]<br />
* [https://www.youtube.com/watch?v=QjBbrNtCx3A OMF Windows Installation]<br />
* [https://www.youtube.com/watch?v=_Nw05Q3fc2A OMF Linux Installation]<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/framework-docs/ Developer Guide]<br />
<br />
==Issue Tracker==<br />
[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/issues Submit Issues/Bugs/Feature Requests]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
== Mailing List== <br />
[https://lists.owasp.org/mailman/listinfo/owasp-mth3l3m3nt-framework-project Mailing List]<br />
<br />
==Updates==<br />
* Apr-04-2016: Added a cookie theft database module to enable XSS attacks become more potent. <br />
* Nov-30-2015: Created and Updated [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation of OMF on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Nginx) Installation of OMF on Linux running Nginx]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Lighttpd) Installation of OMF on Linux running Lighttpd]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation of OMF on Windows running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payloads-Module Using the Payloads Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Generic-Requests-Module Using the Generic Requests Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Shell-Generator-Module Using the Shell Generator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payload-Encoder-&-Decoder-Modules Using the Payload Encoder & Decoder Modules]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Client-Side-Obfuscator-Module Using the Client Side Obfuscator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/String-Tools-Module Using the String Tools Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/LFI-Exploits-Module Using the LFI Exploit Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Web-Herd-Module-(HTTP-Bot) Using the Web Herd Module (HTTP Bot)]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI Exploit Plugins]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Using-The-Cookie-Theft-Module Using the Cookie Theft Module]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/HEAD/TRACE/OPTIONS/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=211406Kenya2016-03-18T13:53:11Z<p>Munir Njiru: /* Local News */</p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru] and [mailto:Alex.mathenge@owasp.org Alex Mathenge] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
'''1st- 2nd April 2016''' - OWASP Kenyan Chapter and Africahackon will be holding a bootcamp at Multimedia University of Kenya in line with the plan to get information security to the young at heart so that we have more professionals in industry. <br />
<br />
'''20th-21st November 2015'''<br />
<br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University<br />
<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
overed<br />
====Security Events====<br />
<br />
=Multimedia University Bootcamp 2016= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at Multimedia University of Kenya (MMU) this year on 1st & 2nd of April. This marks the first Bootcamp at the University in the series of bootcamps across local universities. It will aim to raise more security aware individuals as they join the fields in development, forensics, offensive security etc. The key topics to be covered are: <br />
<br />
* Linux 101<br />
* Google Hacking <br />
* Android Forensics<br />
* Network Security<br />
* Web Security<br />
* GSM Security<br />
* Malware Analysis<br />
<br />
=JKUAT Bootcamp 2015= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University this year. This marks it as the second bootcamp to grace the university. For more information on the training sessions taking place visit the [http://africahackon.com/africa/training Africahackon Website] The schedule of topics to be taught that day can be downloaded [http://www.africahackon.com/assets/bootcamps/Bootcamp_Schedule_JKUAT.pdf here].<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=211405Kenya2016-03-18T13:49:18Z<p>Munir Njiru: </p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru] and [mailto:Alex.mathenge@owasp.org Alex Mathenge] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
'''1st- 2nd April 2016''' - OWASP Kenyan Chapter and Africahackon will be holding a bootcamp at Multimedia University of Kenya in line with the plan to get information security to the young at heart so that we have more professionals in industry. <br />
<br />
'''20th-21st November 2015<br />
'''Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University<br />
<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
overed<br />
====Security Events====<br />
<br />
=Multimedia University Bootcamp 2016= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at Multimedia University of Kenya (MMU) this year on 1st & 2nd of April. This marks the first Bootcamp at the University in the series of bootcamps across local universities. It will aim to raise more security aware individuals as they join the fields in development, forensics, offensive security etc. The key topics to be covered are: <br />
<br />
* Linux 101<br />
* Google Hacking <br />
* Android Forensics<br />
* Network Security<br />
* Web Security<br />
* GSM Security<br />
* Malware Analysis<br />
<br />
=JKUAT Bootcamp 2015= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University this year. This marks it as the second bootcamp to grace the university. For more information on the training sessions taking place visit the [http://africahackon.com/africa/training Africahackon Website] The schedule of topics to be taught that day can be downloaded [http://www.africahackon.com/assets/bootcamps/Bootcamp_Schedule_JKUAT.pdf here].<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=211404Kenya2016-03-18T13:42:24Z<p>Munir Njiru: /* Local News */</p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru] and [mailto:Alex.mathenge@owasp.org Alex Mathenge] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
'''1st- 2nd April 2016''' - OWASP Kenyan Chapter and Africahackon will be holding a bootcamp at Multimedia University of Kenya in line with the plan to get information security to the young at heart so that we have more professionals in industry. <br />
<br />
20th-21st November 2015<br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University<br />
<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
overed <br />
====Security Events====<br />
<br />
=JKUAT Bootcamp 2015= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University this year. This marks it as the second bootcamp to grace the university. For more information on the training sessions taking place visit the [http://africahackon.com/africa/training Africahackon Website] The schedule of topics to be taught that day can be downloaded [http://www.africahackon.com/assets/bootcamps/Bootcamp_Schedule_JKUAT.pdf here].<br />
<br />
=TUK Bootcamp= <br />
Africahackon will be holding a series of bootcamps in relation to security.<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=208547OWASP Mth3l3m3nt Framework Project2016-02-12T06:15:59Z<p>Munir Njiru: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
==Project Website==<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
<br />
== Related Projects ==<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Videos==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA OMF in Africahackon 2015 CTF]<br />
* [https://www.youtube.com/watch?v=QjBbrNtCx3A OMF Windows Installation]<br />
* [https://www.youtube.com/watch?v=_Nw05Q3fc2A OMF Linux Installation]<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/framework-docs/ Developer Guide]<br />
<br />
==Issue Tracker==<br />
[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/issues Submit Issues/Bugs/Feature Requests]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
== Mailing List== <br />
[https://lists.owasp.org/mailman/listinfo/owasp-mth3l3m3nt-framework-project Mailing List]<br />
<br />
==Updates==<br />
* Nov-30-2015: Created and Updated [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation of OMF on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Nginx) Installation of OMF on Linux running Nginx]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Lighttpd) Installation of OMF on Linux running Lighttpd]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation of OMF on Windows running Apache]<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payloads-Module Using the Payloads Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Generic-Requests-Module Using the Generic Requests Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Shell-Generator-Module Using the Shell Generator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payload-Encoder-&-Decoder-Modules Using the Payload Encoder & Decoder Modules]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Client-Side-Obfuscator-Module Using the Client Side Obfuscator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/String-Tools-Module Using the String Tools Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/LFI-Exploits-Module Using the LFI Exploit Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Web-Herd-Module-(HTTP-Bot) Using the Web Herd Module (HTTP Bot)]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI Exploit Plugins]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/HEAD/TRACE/OPTIONS/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=204782OWASP Mth3l3m3nt Framework Project2015-12-07T09:24:20Z<p>Munir Njiru: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
==Project Website==<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
<br />
== Related Projects ==<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Videos==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA OMF in Africahackon 2015 CTF]<br />
* [https://www.youtube.com/watch?v=QjBbrNtCx3A OMF Windows Installation]<br />
* [https://www.youtube.com/watch?v=_Nw05Q3fc2A OMF Linux Installation]<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/framework-docs/ Developer Guide]<br />
<br />
==Issue Tracker==<br />
[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/issues Submit Issues/Bugs/Feature Requests]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
==Updates==<br />
* Nov-30-2015: Created and Updated [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation of OMF on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Nginx) Installation of OMF on Linux running Nginx]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Lighttpd) Installation of OMF on Linux running Lighttpd]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation of OMF on Windows running Apache]<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payloads-Module Using the Payloads Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Generic-Requests-Module Using the Generic Requests Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Shell-Generator-Module Using the Shell Generator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payload-Encoder-&-Decoder-Modules Using the Payload Encoder & Decoder Modules]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Client-Side-Obfuscator-Module Using the Client Side Obfuscator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/String-Tools-Module Using the String Tools Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/LFI-Exploits-Module Using the LFI Exploit Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Web-Herd-Module-(HTTP-Bot) Using the Web Herd Module (HTTP Bot)]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI Exploit Plugins]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/HEAD/TRACE/OPTIONS/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=204781OWASP Mth3l3m3nt Framework Project2015-12-07T09:23:38Z<p>Munir Njiru: /* Updates */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
==Project Website==<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Videos==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA OMF in Africahackon 2015 CTF]<br />
* [https://www.youtube.com/watch?v=QjBbrNtCx3A OMF Windows Installation]<br />
* [https://www.youtube.com/watch?v=_Nw05Q3fc2A OMF Linux Installation]<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/framework-docs/ Developer Guide]<br />
<br />
==Issue Tracker==<br />
[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/issues Submit Issues/Bugs/Feature Requests]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
==Updates==<br />
* Nov-30-2015: Created and Updated [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation of OMF on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Nginx) Installation of OMF on Linux running Nginx]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Lighttpd) Installation of OMF on Linux running Lighttpd]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation of OMF on Windows running Apache]<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payloads-Module Using the Payloads Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Generic-Requests-Module Using the Generic Requests Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Shell-Generator-Module Using the Shell Generator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payload-Encoder-&-Decoder-Modules Using the Payload Encoder & Decoder Modules]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Client-Side-Obfuscator-Module Using the Client Side Obfuscator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/String-Tools-Module Using the String Tools Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/LFI-Exploits-Module Using the LFI Exploit Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Web-Herd-Module-(HTTP-Bot) Using the Web Herd Module (HTTP Bot)]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI Exploit Plugins]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/HEAD/TRACE/OPTIONS/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=204776OWASP Mth3l3m3nt Framework Project2015-12-07T09:21:10Z<p>Munir Njiru: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
==Project Website==<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]<br />
<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Videos==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA OMF in Africahackon 2015 CTF]<br />
* [https://www.youtube.com/watch?v=QjBbrNtCx3A OMF Windows Installation]<br />
* [https://www.youtube.com/watch?v=_Nw05Q3fc2A OMF Linux Installation]<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/framework-docs/ Developer Guide]<br />
<br />
==Issue Tracker==<br />
[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/issues Submit Issues/Bugs/Feature Requests]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
==Updates==<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.<br />
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation of OMF on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Nginx) Installation of OMF on Linux running Nginx]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Lighttpd) Installation of OMF on Linux running Lighttpd]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation of OMF on Windows running Apache]<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payloads-Module Using the Payloads Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Generic-Requests-Module Using the Generic Requests Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Shell-Generator-Module Using the Shell Generator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payload-Encoder-&-Decoder-Modules Using the Payload Encoder & Decoder Modules]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Client-Side-Obfuscator-Module Using the Client Side Obfuscator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/String-Tools-Module Using the String Tools Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/LFI-Exploits-Module Using the LFI Exploit Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Web-Herd-Module-(HTTP-Bot) Using the Web Herd Module (HTTP Bot)]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI Exploit Plugins]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/HEAD/TRACE/OPTIONS/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=203832OWASP Mth3l3m3nt Framework Project2015-11-25T13:40:41Z<p>Munir Njiru: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Videos==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA OMF in Africahackon 2015 CTF]<br />
* [https://www.youtube.com/watch?v=QjBbrNtCx3A OMF Windows Installation]<br />
* [https://www.youtube.com/watch?v=_Nw05Q3fc2A OMF Linux Installation]<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
==Updates==<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.<br />
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation of OMF on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Nginx) Installation of OMF on Linux running Nginx]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Lighttpd) Installation of OMF on Linux running Lighttpd]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation of OMF on Windows running Apache]<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payloads-Module Using the Payloads Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Generic-Requests-Module Using the Generic Requests Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Shell-Generator-Module Using the Shell Generator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payload-Encoder-&-Decoder-Modules Using the Payload Encoder & Decoder Modules]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Client-Side-Obfuscator-Module Using the Client Side Obfuscator Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/String-Tools-Module Using the String Tools Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/LFI-Exploits-Module Using the LFI Exploit Module]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Web-Herd-Module-(HTTP-Bot) Using the Web Herd Module (HTTP Bot)]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI Exploit Plugins]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/HEAD/TRACE/OPTIONS/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=203577OWASP Mth3l3m3nt Framework Project2015-11-19T15:16:49Z<p>Munir Njiru: /* Road Map and Getting Involved */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Presentations==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
==Updates==<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.<br />
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation on Windows running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI exploits]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/HEAD/TRACE/OPTIONS/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=203576OWASP Mth3l3m3nt Framework Project2015-11-19T15:15:56Z<p>Munir Njiru: /* Description */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Presentations==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
==Updates==<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.<br />
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation on Windows running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI exploits]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=203575OWASP Mth3l3m3nt Framework Project2015-11-19T15:15:23Z<p>Munir Njiru: /* Description */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Presentations==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
==Updates==<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.<br />
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation on Windows running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI exploits]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=203574OWASP Mth3l3m3nt Framework Project2015-11-19T15:14:23Z<p>Munir Njiru: /* Updates */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Presentations==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
==Updates==<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.<br />
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation on Windows running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI exploits]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=203573OWASP Mth3l3m3nt Framework Project2015-11-19T15:12:14Z<p>Munir Njiru: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Presentations==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
<br />
==Documentation==<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
==Updates==<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
* Nov-09-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation on Windows running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI exploits]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=203572OWASP Mth3l3m3nt Framework Project2015-11-19T15:11:02Z<p>Munir Njiru: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Presentations==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
==Updates==<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
* Nov-09-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.<br />
<br />
== Table of Contents ==<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation on Windows running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI exploits]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=203570OWASP Mth3l3m3nt Framework Project2015-11-19T15:09:26Z<p>Munir Njiru: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Presentations==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
==Updates==<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
* Nov-09-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= User Guide =<br />
<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation on Linux running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation on Windows running Apache]<br />
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI exploits]<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.<br />
* Client Side Obfuscator<br />
* String Tools <br />
* Whois <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=File:Mth3l3m3nt-dashboard.PNG&diff=203527File:Mth3l3m3nt-dashboard.PNG2015-11-18T11:49:16Z<p>Munir Njiru: Munir Njiru uploaded a new version of &quot;File:Mth3l3m3nt-dashboard.PNG&quot;</p>
<hr />
<div></div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=203344Kenya2015-11-13T10:07:02Z<p>Munir Njiru: </p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru] and [mailto:Alex.mathenge@owasp.org Alex Mathenge] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
20th-21st November 2015<br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University<br />
<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
overed <br />
====Security Events====<br />
<br />
=JKUAT Bootcamp 2015= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University this year. This marks it as the second bootcamp to grace the university. For more information on the training sessions taking place visit the [http://africahackon.com/africa/training Africahackon Website] The schedule of topics to be taught that day can be downloaded [http://www.africahackon.com/assets/bootcamps/Bootcamp_Schedule_JKUAT.pdf here].<br />
<br />
=TUK Bootcamp= <br />
Africahackon will be holding a series of bootcamps in relation to security.<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=203343Kenya2015-11-13T09:52:28Z<p>Munir Njiru: /* Security Happenings */</p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru] and [mailto:Alex.mathenge@owasp.org Alex Mathenge] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
20th-21st November 2015<br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University<br />
<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
overed <br />
====Security Events====<br />
<br />
=JKUAT Bootcamp 2015= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University this year. This marks it as the second bootcamp to grace the university. For more information on the training sessions taking place visit the [http://africahackon.com/africa/training Africahackon Website]<br />
<br />
=TUK Bootcamp= <br />
Africahackon will be holding a series of bootcamps in relation to security.<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=203342Kenya2015-11-13T09:52:07Z<p>Munir Njiru: </p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru] and [mailto:Alex.mathenge@owasp.org Alex Mathenge] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
20th-21st November 2015<br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University<br />
<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
overed <br />
====Security Happenings====<br />
=JKUAT Bootcamp 2015= <br />
Africahackon and OWASP Kenyan Chapter are holding a bootcamp at JKUAT (Jommo Kenyatta University of Agriculture & Technology) University this year. This marks it as the second bootcamp to grace the university. For more information on the training sessions taking place visit the [http://africahackon.com/africa/training Africahackon Website]<br />
<br />
=TUK Bootcamp= <br />
Africahackon will be holding a series of bootcamps in relation to security.<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=200516Kenya2015-09-14T11:07:09Z<p>Munir Njiru: /* Local News */</p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [mailto:Munir.Njiru@owasp.org Munir Njenga] and [mailto:Alex.mathenge@owasp.org Alex Mathenge] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
<br />
[[File:TUK-Bootcamp.jpg]]<br />
<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
overed <br />
====Security Happenings====<br />
<br />
=TUK Bootcamp= <br />
Africahackon will be holding a series of bootcamps in relation to security.<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=200514Kenya2015-09-14T11:05:54Z<p>Munir Njiru: </p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [mailto:Munir.Njiru@owasp.org Munir Njenga] and [mailto:Alex.mathenge@owasp.org Alex Mathenge] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
'''TUK Bootcamp 2015 (25th-26th September)'''<br />
[[File:TUK-Bootcamp.jpg]]<br />
<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
overed <br />
====Security Happenings====<br />
<br />
=TUK Bootcamp= <br />
Africahackon will be holding a series of bootcamps in relation to security.<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=200512Kenya2015-09-14T11:03:43Z<p>Munir Njiru: </p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [mailto:Munir.Njiru@owasp.org Munir Njenga] and [mailto:Alex.mathenge@owasp.org Alex Mathenge] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
<br />
====Security Happenings====<br />
=TUK Bootcamp=<br />
[[File:TUK-Bootcamp.jpg]]<br />
<br />
<br />
<br />
=Africahackon 2015=<br />
<br />
This Year the 2nd Africahackon Conference is happening on 31st July 2015 at the Ihub and OWASP Kenyan Chapter will be there, will you? . <br />
<br />
For more information, Visit the [http://www.africahackon.com Africahackon Website]<br />
<br />
Tickets can Be purchased [https://www.ticketsasa.com/events/eventdetail/view/1629/africahackon_2015 here]<br />
<br />
=About Africahackon=<br />
<br />
Africahackon is East Africa’s premier technical computer security collective which brings together the individual talents of the best and brightest security professionals in the region, through live presentations, engaging discussions and hands on demonstrations. We are connoisseurs in a full range of defensive and offensive security topics are well versed in the theoretical aspect of cyber security and masters on the practical and tactical angle of the art.<br />
<br />
AfricaHackOn houses not just ICT professionals but architects, electrical engineers, designers and business professionals. We have fun at what we do and boast of having a golden opportunity to shape the Information Security space across the continent.<br />
<br />
=TUK Bootcamp=<br />
<br />
Africahackon will be holding a bootcamp on the 25th - 26th September. Book your slot now<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=File:TUK-Bootcamp.jpg&diff=200511File:TUK-Bootcamp.jpg2015-09-14T11:01:39Z<p>Munir Njiru: TUK Bootcamp Banner 25th-26th September 2015</p>
<hr />
<div>TUK Bootcamp Banner 25th-26th September 2015</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=200503OWASP Mth3l3m3nt Framework Project2015-09-14T06:44:49Z<p>Munir Njiru: /* Updates */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Presentations==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
==Updates==<br />
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads. <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=200502OWASP Mth3l3m3nt Framework Project2015-09-14T06:44:17Z<p>Munir Njiru: /* Quick Download */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Presentations==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
==Updates==<br />
* Aug-13-2015: Added [https://github.com/alienwithin/mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads. <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=199053OWASP Mth3l3m3nt Framework Project2015-08-13T14:38:07Z<p>Munir Njiru: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Presentations==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
<br />
==Updates==<br />
* Aug-13-2015: Added [https://github.com/alienwithin/mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads. <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=199052OWASP Mth3l3m3nt Framework Project2015-08-13T14:36:48Z<p>Munir Njiru: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Presentations==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
<br />
==Updates==<br />
* Aug-13-2015: Added [https://github.com/alienwithin/mth3l3m3nt-framework/tree/master/dev-docs Technical Documentation]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads. <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=199048OWASP Mth3l3m3nt Framework Project2015-08-13T10:38:03Z<p>Munir Njiru: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Presentations==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads. <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=User:Munir_Njiru&diff=199047User:Munir Njiru2015-08-13T10:36:29Z<p>Munir Njiru: </p>
<hr />
<div>[[File:Munir_Njiru_Profile_Picture.JPG]]<br />
<br />
'''About Me:'''<br />
<br />
I am a Cyber Security Consultant and researcher. I mainly focus on malware analysis, web and mobile based applications testing and methodologies. I am a member of the Africahackon team which is East Africa’s premier technical computer security collective that brings together the individual talents of the best and brightest security professionals in the region, through live presentations, engaging discussions and hands on demonstrations.<br />
<br />
I am also a project leader for the OWASP Project dubbed "OWASP Mth3l3m3nt Framework" (https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project) which is an exploitation framework that aids in a number of activities and uses minimal resources as all it needs is a webserver which can even be run from an android phone without a problem and optionally a database server. It currently comes with the ability to manage web shells and command remote hosts from a central location over HTTP (HTTP Bot) , create custom LFI exploits in as little as 6 lines of code, do custom requests , Generate Web shells and store information on payloads and notes in different DB types if needed, currently it supports (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL). The framework is envisioned to cover attacks in the OWASP top 10 framework in full while maintaining its ease of deployment and use.<br />
<br />
Owasp Kenya is focusing on Educating the new entrants who are not market ready to create a culture of secure development as this is the biggest problem in the region in which Kenya is a technology hub. Their has been a need for information security training especially with the increase in techpreneurs within the region, this is done in collaboration with the Africahackon team to cover the spectrum of secure development and deployment in both campuses and technology hubs in the region to move people from SDLC to SSDLC. <br />
<br />
'''Contact Info:''' munir.njiru@owasp.org</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=199046OWASP Mth3l3m3nt Framework Project2015-08-13T10:34:36Z<p>Munir Njiru: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/User:Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Presentations==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads. <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=198314OWASP Mth3l3m3nt Framework Project2015-08-03T12:08:44Z<p>Munir Njiru: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/User:Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
==Presentations==<br />
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA Mth3l3m3nt Framework in Africahackon 2015 CTF]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/User:Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads. <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=198126OWASP Mth3l3m3nt Framework Project2015-07-30T12:54:56Z<p>Munir Njiru: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/User:Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/User:Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads. <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=198096Kenya2015-07-29T14:18:14Z<p>Munir Njiru: /* Local News */</p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [mailto:Munir.Njiru@owasp.org Munir Njenga] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
2015 is a busy year in the information security field : <br />
In addition to the Africahackon Conference, the first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
<br />
====Security Happenings====<br />
<br />
=Africahackon 2015=<br />
<br />
This Year the 2nd Africahackon Conference is happening on 31st July 2015 at the Ihub and OWASP Kenyan Chapter will be there, will you? . <br />
<br />
For more information, Visit the [http://www.africahackon.com Africahackon Website]<br />
<br />
Tickets can Be purchased [https://www.ticketsasa.com/events/eventdetail/view/1629/africahackon_2015 here]<br />
<br />
=About Africahackon=<br />
<br />
Africahackon is East Africa’s premier technical computer security collective which brings together the individual talents of the best and brightest security professionals in the region, through live presentations, engaging discussions and hands on demonstrations. We are connoisseurs in a full range of defensive and offensive security topics are well versed in the theoretical aspect of cyber security and masters on the practical and tactical angle of the art.<br />
<br />
AfricaHackOn houses not just ICT professionals but architects, electrical engineers, designers and business professionals. We have fun at what we do and boast of having a golden opportunity to shape the Information Security space across the continent.<br />
<br />
=JKUAT Bootcamp=<br />
Africahackon in collaboration with the OWASP Kenyan Chapter had a free 2 day bootcamp between 3rd and 4th July 2015 at JKUAT (Jommo Kenyatta University of Agriculture and Technology) to sensitize them on security as they join the industry. <br />
<br />
<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=198095Kenya2015-07-29T14:17:04Z<p>Munir Njiru: /* Local News */</p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [mailto:Munir.Njiru@owasp.org Munir Njenga] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
The first Kenyan Project currently at OWASP is out titled [https://owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
<br />
====Security Happenings====<br />
<br />
=Africahackon 2015=<br />
<br />
This Year the 2nd Africahackon Conference is happening on 31st July 2015 at the Ihub and OWASP Kenyan Chapter will be there, will you? . <br />
<br />
For more information, Visit the [http://www.africahackon.com Africahackon Website]<br />
<br />
Tickets can Be purchased [https://www.ticketsasa.com/events/eventdetail/view/1629/africahackon_2015 here]<br />
<br />
=About Africahackon=<br />
<br />
Africahackon is East Africa’s premier technical computer security collective which brings together the individual talents of the best and brightest security professionals in the region, through live presentations, engaging discussions and hands on demonstrations. We are connoisseurs in a full range of defensive and offensive security topics are well versed in the theoretical aspect of cyber security and masters on the practical and tactical angle of the art.<br />
<br />
AfricaHackOn houses not just ICT professionals but architects, electrical engineers, designers and business professionals. We have fun at what we do and boast of having a golden opportunity to shape the Information Security space across the continent.<br />
<br />
=JKUAT Bootcamp=<br />
Africahackon in collaboration with the OWASP Kenyan Chapter had a free 2 day bootcamp between 3rd and 4th July 2015 at JKUAT (Jommo Kenyatta University of Agriculture and Technology) to sensitize them on security as they join the industry. <br />
<br />
<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=Kenya&diff=198094Kenya2015-07-29T14:16:48Z<p>Munir Njiru: </p>
<hr />
<div><br />
{{Chapter Template|chaptername=Kenya|extra=The chapter leader is [mailto:Munir.Njiru@owasp.org Munir Njenga] aided by [mailto:ruth.macharia@owasp.org Ruth Macharia] |mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Kenya|emailarchives=http://lists.owasp.org/pipermail/owasp-Kenya}}<br />
<br />
===Local News===<br />
The first Kenyan Project currently at OWASP is out titled [owasp.org/index.php/OWASP_Mth3l3m3nt_Framework_Project OWASP Mth3l3m3nt Framework]. It aims to make web penetration testing easier and use of less resources that are readily available platforms. <br />
<br />
====Security Happenings====<br />
<br />
=Africahackon 2015=<br />
<br />
This Year the 2nd Africahackon Conference is happening on 31st July 2015 at the Ihub and OWASP Kenyan Chapter will be there, will you? . <br />
<br />
For more information, Visit the [http://www.africahackon.com Africahackon Website]<br />
<br />
Tickets can Be purchased [https://www.ticketsasa.com/events/eventdetail/view/1629/africahackon_2015 here]<br />
<br />
=About Africahackon=<br />
<br />
Africahackon is East Africa’s premier technical computer security collective which brings together the individual talents of the best and brightest security professionals in the region, through live presentations, engaging discussions and hands on demonstrations. We are connoisseurs in a full range of defensive and offensive security topics are well versed in the theoretical aspect of cyber security and masters on the practical and tactical angle of the art.<br />
<br />
AfricaHackOn houses not just ICT professionals but architects, electrical engineers, designers and business professionals. We have fun at what we do and boast of having a golden opportunity to shape the Information Security space across the continent.<br />
<br />
=JKUAT Bootcamp=<br />
Africahackon in collaboration with the OWASP Kenyan Chapter had a free 2 day bootcamp between 3rd and 4th July 2015 at JKUAT (Jommo Kenyatta University of Agriculture and Technology) to sensitize them on security as they join the industry. <br />
<br />
<br />
<br />
<br />
__NOTOC__<br />
<headertabs/><br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Kenya]]<br />
[[Category:Africa]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=198030OWASP Mth3l3m3nt Framework Project2015-07-28T10:52:28Z<p>Munir Njiru: </p>
<hr />
<div><br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/User:Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/User:Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:<br />
* A web bot commander over HTTP to enable post-exploitation more easily<br />
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones. <br />
* A payload store to keep new and old payloads that you frequently use and lose. <br />
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same. <br />
* A web request module similar to hurl.it currently supporting GET/POST requests and data very useful when in need of fingerprinting based on server headers and response codes. <br />
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads. <br />
<br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier. <br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=198029OWASP Mth3l3m3nt Framework Project2015-07-28T10:37:16Z<p>Munir Njiru: /* Mth3l3m3nt Framework Project */</p>
<hr />
<div><br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/User:Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/User:Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are, a web bot commander over http to enable post-exploitation more easily, a shell generator , a payload store and an LFI , RFI exploiter. a web request service similar to hurl.it , and payload encoder and decoder. <br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. <br />
This is envisioned to be the same principle followed throughout the project.<br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiruhttps://wiki.owasp.org/index.php?title=OWASP_Mth3l3m3nt_Framework_Project&diff=198028OWASP Mth3l3m3nt Framework Project2015-07-28T10:36:56Z<p>Munir Njiru: /* Mth3l3m3nt Framework Project */</p>
<hr />
<div><br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==Mth3l3m3nt Framework Project==<br />
[[File:Mth3l3m3nt-dashboard.PNG|center|650px]]<br />
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.<br />
<br />
==Description==<br />
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers: <br />
<br />
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)<br />
* LFI/RFI exploitation Module<br />
* Web Shell Generator (ASP,PHP,JSP,JSPX)<br />
* Payload Encoder and Decoder<br />
* Custom Web Requester (GET/POST)<br />
* Web Herd (HTTP Bot tool to manage web shells)<br />
<br />
'''[https://github.com/alienwithin/mth3l3m3nt-framework Please contribute to this project.]<br />
'''<br />
<br />
==Licensing==<br />
<br />
<br />
'''The OWASP Mth3l3m3nt Framework is free to use.<br />
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.<br />
<br />
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== What is the OWASP Mth3l3m3nt Framework Project ==<br />
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.<br />
<br />
== Project Leader ==<br />
<br />
<br />
<br />
* [https://www.owasp.org/index.php/User:Munir_Njiru Munir Njiru]<br />
<br />
== Related Projects ==<br />
<br />
<br />
* [[https://www.owasp.org/index.php/ZAP ZAP]]<br />
<br />
== Openhub ==<br />
<br />
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== Quick Download ==<br />
<br />
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.<br />
<br />
However, if you like you may also download the master repository from the following links:<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/zipball/master .zip file.]<br />
* [https://github.com/alienwithin/mth3l3m3nt-framework/tarball/master .tgz file.]<br />
<br />
<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here]. We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. <br />
<br />
The first contributors to the project were:<br />
<br />
* [https://www.owasp.org/index.php/User:Munir_Njiru Munir Njiru]<br />
* [https://github.com/ikkez Christian Knuth]<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.<br />
<br />
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are, a web bot commander over http to enable post-exploitation more easily, a shell generator , a payload store and an LFI , RFI exploiter. a web request service similar to hurl.it , and payload encoder and decoder. <br />
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. <br />
This is envisioned to be the same principle followed throughout the project.<br />
<br />
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!<br />
You do not have to be a security expert in order to contribute.<br />
Some of the ways you can help:<br />
* Helping find references to some new exploits.<br />
* Project administration support. <br />
* Wiki editing support.<br />
* Writing documentation for its use. <br />
* Bringing in fresh design principles from a UX perspective<br />
<br />
<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]] [[Category:OWASP_Tool]]</div>Munir Njiru