This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Pyttacker Project"
(Created page with "=Main= <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">link=</div> {| style="padding: 0;margin:0;margin-top:10px;t...") |
Mario Robles (talk | contribs) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 12: | Line 12: | ||
==Introduction== | ==Introduction== | ||
| − | + | Most of the time is spent on finding the bad stuff during a Web PenTest, writing reports is time consuming and you need to deliver the results as soon as possible, however in the end the one that will need to fix the issue (or push others to do it) will need to really understand the impact of the findings included in the report. When you show raw Database data from a SQLi it's very visible for your costumer that the impact is High, however when the finding need some other steps for being reproduced the impact become more complicated to be demonstrated to non technical people, just a "request" and "response" is not enough and how long are you willing to take for coding a working PoC and create a nice screenshot for being included in your report. | |
| + | What about using "something" that is the server you mention as hypothetic 'evil.com' that can be used by the bad guys against your costumer's company, even better if you know that the evil server is not that "evil" and you have full control of it, would be nice to have "something" handy and portable for reproducing those findings and grab nice screen-shots, what about reproducing the finding during that meeting when you are trying to show the impact of your findings, not just a pop-up alert for XSS, what if you show an inoffensive but scaring partial defacement or a javascript keylogger in action. | ||
| − | + | Sounds good ? if yes then Pyttacker will be an interesting tool for you | |
| − | |||
| − | |||
| − | |||
==Licensing== | ==Licensing== | ||
| − | OWASP | + | OWASP Pyttacker is free to use. It is licensed under GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project) |
| Line 29: | Line 27: | ||
== What is the OWASP Pyttacker Project? == | == What is the OWASP Pyttacker Project? == | ||
| − | + | Key characteristics: | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| + | * Minimal requirements (Just Python and a Web Browser) | ||
| + | * Cross-platform | ||
| + | * Portable | ||
| + | * Easy Plug-ins Implementation | ||
| + | * Easy to use | ||
== Project Leader == | == Project Leader == | ||
| − | Mario Robles | + | [mailto:[email protected] Mario Robles] |
| − | == | + | == Supporters == |
| − | * [[ | + | * [https://www.owasp.org/index.php/Costa_Rica OWASP Costa Rica] |
| + | * [https://www.roblest.com RoblesT.com] | ||
| Line 57: | Line 52: | ||
== Quick Download == | == Quick Download == | ||
| − | * | + | * [https://github.com/RoblesT/pyttacker/archive/master.zip Download] |
| − | + | * [https://github.com/RoblesT/pyttacker GitHub]: | |
| − | + | <pre> | |
| − | + | git clone https://github.com/RoblesT/pyttacker.git | |
| − | + | </pre> | |
| − | + | [https://github.com/RoblesT/pyttacker/wiki Manual and How-to] | |
| − | * [ | ||
| − | |||
| − | |||
| − | |||
| − | |||
| + | == Timeline == | ||
| + | * [25 March 2014] Project created | ||
| + | * [26 April 2014] New Alpha made public | ||
| + | * [29 July 2015] Improvements were added | ||
==Classifications== | ==Classifications== | ||
| Line 87: | Line 81: | ||
=FAQs= | =FAQs= | ||
| + | Have questions ? | ||
| − | ; | + | [mailto:[email protected] Send a message] or [https://lists.owasp.org/mailman/listinfo/owasp_pyttacker_project Subscribe] |
| − | : | + | ; How to get? |
| + | : Download it [https://github.com/RoblesT/pyttacker/archive/master.zip Here] or follow the instructions [https://github.com/RoblesT/pyttacker/wiki Here] | ||
| + | |||
| + | ; How to install? | ||
| + | : It is portable, no installation is required for using it | ||
| + | |||
| + | ; Where can I use it? | ||
| + | : The tool is coded in Python and has been tested on Linux (Ubuntu, Kali, Samurai), MAC and Windows | ||
| − | |||
| − | |||
= Acknowledgements = | = Acknowledgements = | ||
==Volunteers== | ==Volunteers== | ||
| − | + | Pyttacker is developed by a worldwide team of volunteers. The primary contributors to date have been: | |
| − | |||
| − | |||
| − | |||
| − | + | * Mario Robles | |
| − | * | + | [mailto:[email protected] Join us !] or [https://lists.owasp.org/mailman/listinfo/owasp_pyttacker_project Subscribe] |
| − | |||
= Road Map and Getting Involved = | = Road Map and Getting Involved = | ||
| Line 115: | Line 111: | ||
#Add integration with tools like OWASP ZAP and Burp Suite" | #Add integration with tools like OWASP ZAP and Burp Suite" | ||
| − | Involvement in the development and promotion of | + | Involvement in the development and promotion of Pyttacker is actively encouraged! |
You do not have to be a security expert in order to contribute. | You do not have to be a security expert in order to contribute. | ||
Some of the ways you can help: | Some of the ways you can help: | ||
| − | * | + | * QA Testing | Bug reporting |
| − | * | + | * Content Translation |
| + | * Plugin Development | ||
| + | * Core code improvements | ||
Latest revision as of 15:59, 18 December 2015
OWASP Pyttacker ProjectThe OWASP Pyttacker Project is a portable Web Server that include the features needed for every Pentester when creating reports, helping to create PoCs that show a more descriptive way to create awareness to the businesses by demonstrating realistic but inoffensive "attacks" included as part of the tool. IntroductionMost of the time is spent on finding the bad stuff during a Web PenTest, writing reports is time consuming and you need to deliver the results as soon as possible, however in the end the one that will need to fix the issue (or push others to do it) will need to really understand the impact of the findings included in the report. When you show raw Database data from a SQLi it's very visible for your costumer that the impact is High, however when the finding need some other steps for being reproduced the impact become more complicated to be demonstrated to non technical people, just a "request" and "response" is not enough and how long are you willing to take for coding a working PoC and create a nice screenshot for being included in your report. What about using "something" that is the server you mention as hypothetic 'evil.com' that can be used by the bad guys against your costumer's company, even better if you know that the evil server is not that "evil" and you have full control of it, would be nice to have "something" handy and portable for reproducing those findings and grab nice screen-shots, what about reproducing the finding during that meeting when you are trying to show the impact of your findings, not just a pop-up alert for XSS, what if you show an inoffensive but scaring partial defacement or a javascript keylogger in action. Sounds good ? if yes then Pyttacker will be an interesting tool for you
LicensingOWASP Pyttacker is free to use. It is licensed under GNU GPL v3 License (allows commercial use, but requires that modifications to your code stay open source, thus prohibiting proprietary forks of your project)
|
What is the OWASP Pyttacker Project?Key characteristics:
Project Leader
Supporters
|
Quick Downloadgit clone https://github.com/RoblesT/pyttacker.git Timeline
Classifications
| |||||||
Have questions ?
- How to install?
- It is portable, no installation is required for using it
- Where can I use it?
- The tool is coded in Python and has been tested on Linux (Ubuntu, Kali, Samurai), MAC and Windows
As of March 2014, the priorities are:
"First Alpha version is ready but need more development time for including features that can be delegated to newcomers since the project is module based. The First Beta release is intended to be published on June 2014 including the PoC modules for CSRF, XSS, Open Redirect, XFS Next Steps:
- Add more PoC modules for more Vulnerabilities
- Add integration with tools like OWASP ZAP and Burp Suite"
Involvement in the development and promotion of Pyttacker is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:
- QA Testing | Bug reporting
- Content Translation
- Plugin Development
- Core code improvements
| PROJECT INFO What does this OWASP project offer you? |
RELEASE(S) INFO What releases are available for this project? | |||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| |||||||||||||||||||||||||||||||||||
