This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Mth3l3m3nt Framework Project"

From OWASP
Jump to: navigation, search
(Videos)
 
(53 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
+
=Main=
 
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
 
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
Line 10: Line 10:
  
 
==Mth3l3m3nt Framework Project==
 
==Mth3l3m3nt Framework Project==
 
+
[[File:Mth3l3m3nt-dashboard.PNG|center|800px]]
 
+
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.
 
 
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components.  It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users.  
 
 
 
 
 
  
 
==Description==
 
==Description==
This project is aimed at creating a more flexible offensive security tool for use anywhere with need for minimal resources especially when it comes to reconnaisance and web assessments.  
+
The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers:
  
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
+
* Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)
<span style="color:#ff0000">
+
* LFI/RFI exploitation Module
This section must include a shorter description of what the project is, why the project was started, and what security issue is being helped by the project deliverable. This description will be used to promote the project so make sure the description represents your project in the best way possible.  
+
* Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)
</span>
+
* Payload Encoder and Decoder
 +
* Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)
 +
* Web Herd (HTTP Bot tool to manage web shells)
 +
* Client Side Obfuscator
 +
* Cookie Theft Database Module for potency in stored XSS attacks.  
 +
* String Tools
 +
* Whois
  
'''Although this is a sample template, the project is real! [http://owasp.github.io/Security-Principles Please contribute to this project.]
+
'''[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework Please contribute to this project.]
 
'''
 
'''
  
Over the course of my career, I have come across and collected a number of security ''aphorisms.'' These aphorisms constitute the fundamental principles of information security.
+
==Licensing==
 
 
None of the ideas or truths are mine, and unfortunately, I did not collect the citations. Initially, I would like to identify the correct citations for each aphorism.
 
 
 
Additionally, many are re-statements of the same idea; thus, the 'collection of ideas' defines a fundamental principle. As such, I would also like to reverse engineer the principles from the aphorisms where appropriate, as well.
 
  
==Licensing==
 
GNU AGPL v3 License
 
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
 
<span style="color:#ff0000">
 
A project must be licensed under a community friendly or open source license.  For more information on OWASP recommended licenses, please see [https://www.owasp.org/index.php/OWASP_Licenses OWASP Licenses]. While OWASP does not promote any particular license over another, the vast majority of projects have chosen a Creative Commons license variant for documentation projects, or a GNU General Public License variant for tools and code projects.
 
</span>
 
  
'''The OWASP Security Principles are free to use. In fact it is encouraged!!!
+
'''The OWASP Mth3l3m3nt Framework is free to use.
 
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.
 
'' Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.
  
The OWASP Security Principles are licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
+
The OWASP Mth3l3m3nt Framework is licensed under the [http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
  
 
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
 
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
  
== What is OWASP Security Principles Project? ==
+
== What is the OWASP Mth3l3m3nt Framework Project ==
 
+
It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
 
<span style="color:#ff0000">
 
Here you should add a short description of what your project actually does. What is the primary goal of your project, and why is it important?
 
</span>
 
 
 
The end goal is to identify, cite, and document the fundamental principles of information security. Once this is well organised, I think it would be great to publish this through the [http://scriptogr.am/dennis-groves/post/owasp-press OWASP Press]. Of course, it will always remain freely available, and any money collected will go directly into the project to absorb costs with any remaining funds going to the OWASP Foundation.
 
 
 
This document should serve as a guide to technical architects and designers outlining the fundamental principles of security.
 
 
 
== Presentation ==
 
 
 
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
 
<span style="color:#ff0000">
 
This is where you can link to slide presentations related to your project.
 
</span>
 
 
 
 
 
AppSec USA 2013 [https://github.com/OWASP/Security-Principles/tree/master/Presentations/AppSec%20NYC%202013]
 
  
 
== Project Leader ==
 
== Project Leader ==
  
Currently already available is the source code ready for download and use. Working on sample videos for and a PDF document on usage.
+
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]
  
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are, a web bot commander over http to enable post-exploitation more easily, a shell generator , a payload store and an LFI , RFI exploiter. a web request service similar to hurl.it , and payload encoder and decoder.
+
==Project Website==
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. for instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This is envisioned to be the same principle followed throughout the project.
+
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]
  
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
+
== Related Projects ==
<span style="color:#ff0000">
 
A project leader is the individual who decides to lead the project throughout its lifecycle. The project leader is responsible for communicating the project’s progress to the OWASP Foundation, and he/she is ultimately responsible for the project’s deliverables. The project leader must provide OWASP with his/her real name and contact e-mail address for his/her project application to be accepted, as OWASP prides itself on the openness of its products, operations, and members.
 
</span>
 
  
* [https://www.owasp.org/index.php/User:Dennis_Groves Dennis Groves]
+
* [[https://www.owasp.org/index.php/ZAP ZAP]]
  
== Related Projects ==
+
== Openhub ==
  
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
+
* [https://www.openhub.net/p/mth3l3m3nt-framework OWASP Mth3l3m3nt Framework]
<span style="color:#ff0000">
 
This is where you can link to other OWASP Projects that are similar to yours.
 
</span>
 
  
* [[OWASP_CISO_Survey]]
+
==Videos==
 +
View the videos tab for an up to date list of videos.
  
== Openhub ==
+
==Documentation==
 +
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide]
 +
* [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/framework-docs/ Developer Guide]
  
* [https://www.openhub.net/orgs/OWASP OWASP Project Openhub]
+
==Issue Tracker==
 +
[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/issues Submit Issues/Bugs/Feature Requests]
  
 
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
 
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
Line 101: Line 73:
  
 
== Quick Download ==
 
== Quick Download ==
 
  
 
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.
 
The home of the OWASP Mth3l3m3nt Framework is on [https://github.com/alienwithin/mth3l3m3nt-framework GitHub.] You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.
  
 
However, if you like you may also download the master repository from the following links:
 
However, if you like you may also download the master repository from the following links:
* [https://github.com/alienwithin/mth3l3m3nt-framework/zipball/master .zip file.]
+
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/zipball/master .zip file.]
* [https://github.com/alienwithin/mth3l3m3nt-framework/tarball/master .tgz file.]
+
* [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tarball/master .tgz file.]
 
 
== News and Events ==
 
 
 
 
 
== In Print ==
 
  
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
+
== Mailing List==
<span style="color:#ff0000">
+
[https://lists.owasp.org/mailman/listinfo/owasp-mth3l3m3nt-framework-project Mailing List]
This is where you place links to where your project product can be downloaded or purchased, in the case of a book.
 
</span>
 
  
This project can be purchased as a print on demand book from Lulu.com
+
==Updates==
 +
* Apr-04-2016: Added a cookie theft database module to enable XSS attacks become more potent.
 +
* Nov-30-2015: Created and Updated [http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/ Project Website]
 +
* Nov-19-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki User Guide] to the Git Repository
 +
* Nov-18-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/commit/55e0a9bb38c5d29eaf6034ba9a8c1c0e07c3d2fc CVE-2015-7254 Exploit] to the framework.
 +
* Aug-13-2015: Added [https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/tree/master/dev-docs Developer Documentation] to the project.
  
 
==Classifications==
 
==Classifications==
  
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
 
<span style="color:#ff0000">
 
Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running.
 
</span>
 
  
 
   {| width="200" cellpadding="2"
 
   {| width="200" cellpadding="2"
 
   |-
 
   |-
 
   | align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
 
   | align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]   
+
   | align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=]]   
 
   |-
 
   |-
   | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
+
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
 
   |-
 
   |-
   | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]  
+
   | colspan="2" align="center"  | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.en.html]]  
 
   |-
 
   |-
   | colspan="2" align="center"  | [[File:Project_Type_Files_DOC.jpg|link=]]   
+
   | colspan="2" align="center"  | [[File:Project_Type_Files_TOOL.jpg|link=]]   
 
   |}
 
   |}
  
Line 144: Line 109:
 
=FAQs=
 
=FAQs=
  
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
+
==How can I participate in your project?==
<span style="color:#ff0000">
+
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.  
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'
+
 
</span>
+
==If I am not a programmer can I participate in your project?==
 +
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project.
  
 +
= User Guide =
 +
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.
  
==How can I participate in your project?==
+
== Table of Contents ==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.  
+
 +
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/WebServer-Configuration Initial WebServer Configuration]
 +
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Apache) Installation of OMF on Linux running Apache]
 +
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Nginx) Installation of OMF on Linux running Nginx]
 +
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Linux-(Lighttpd) Installation of OMF on Linux running Lighttpd]
 +
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Installation-Windows-(Apache) Installation of OMF on Windows running Apache]
 +
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payloads-Module Using the Payloads Module]
 +
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Generic-Requests-Module Using the Generic Requests Module]
 +
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Shell-Generator-Module Using the Shell Generator Module]
 +
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Payload-Encoder-&-Decoder-Modules Using the Payload Encoder & Decoder Modules]
 +
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Client-Side-Obfuscator-Module Using the Client Side Obfuscator Module]
 +
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/String-Tools-Module Using the String Tools Module]
 +
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/LFI-Exploits-Module Using the LFI Exploit Module]
 +
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Web-Herd-Module-(HTTP-Bot) Using the Web Herd Module (HTTP Bot)]
 +
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Developing-LFI-Plugins-(Exploits) Developing LFI Exploit Plugins]
 +
*[https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/wiki/Using-The-Cookie-Theft-Module Using the Cookie Theft Module]
  
==If I am not a programmer can I participate in your project?==
+
= Videos =
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.  
+
* [https://www.youtube.com/watch?v=ETnAmV3dxRE OWASP Mth3l3m3nt Framework vs bWAPP (Stored XSS Case)]
 +
* [https://www.youtube.com/watch?v=ZFWOKg9c_vA OWASP Mth3l3m3nt Framework in Africahackon 2015 CTF]
 +
* [https://www.youtube.com/watch?v=QjBbrNtCx3A OWASP Mth3l3m3nt Framework Windows Installation]
 +
* [https://www.youtube.com/watch?v=_Nw05Q3fc2A OWASP Mth3l3m3nt Framework Linux Installation]
  
 
= Acknowledgements =
 
= Acknowledgements =
Line 160: Line 146:
 
==Contributors==
 
==Contributors==
  
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
+
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project  [https://github.com/alienwithin/mth3l3m3nt-framework/graphs/contributors contributors is found here].  We can't forget the great support of the [http://www.africahackon.com Africahackon] team as this began to take flight and for testing some of its aspects. A special thanks should be in order for the Pentest-tools team that inspired the Cookie theft module.  
<span style="color:#ff0000">
 
The success of OWASP is due to a community of enthusiasts and contributors that work to make our projects great. This is also true for the success of your project.
 
Be sure to give credit where credit is due, no matter how small! This should be a brief list of the most amazing people involved in your project.
 
Be sure to provide a link to a complete list of all the amazing people in your project's community as well.
 
</span>
 
 
 
The OWASP Security Principles project is developed by a worldwide team of volunteers. A live update of project  [https://github.com/OWASP/Security-Principles/graphs/contributors contributors is found here].  
 
  
 
The first contributors to the project were:
 
The first contributors to the project were:
  
* [https://www.owasp.org/index.php/User:Dennis_Groves Dennis Groves]
+
* [https://www.owasp.org/index.php/Munir_Njiru Munir Njiru]
* [https://github.com/sublimino Andrew Martin]
+
* [https://github.com/ikkez Christian Knuth]
* [https://github.com/Lambdanaut Josh Thomas]
 
* '''YOUR NAME BELONGS HERE'''
 
  
 
= Road Map and Getting Involved =
 
= Road Map and Getting Involved =
  
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
+
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.
<span style="color:#ff0000">
 
A project roadmap is the envisioned plan for the project. The purpose of the roadmap is to help others understand where the project is going. It gives the community a chance to understand the context and the vision for the goal of the project. Additionally, if a project becomes inactive, or if the project is abandoned, a roadmap can help ensure a project can be adopted and continued under new leadership.
 
</span> 
 
  
<span style="color:#ff0000">
+
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:
Roadmaps vary in detail from a broad outline to a fully detailed project charter. Generally speaking, projects with detailed roadmaps have tended to develop into successful projects. Some details that leaders may consider placing in the roadmap include: envisioned milestones, planned feature enhancements, essential conditions, project assumptions, development timelines, etc. You are required to have at least 4 milestones for every year the project is active.  
+
* A web bot commander over HTTP to enable post-exploitation more easily
</span>
+
* A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones.
 +
* A payload store to keep new and old payloads that you frequently use and lose.
 +
* An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same.  
 +
* A web request module similar to hurl.it currently supporting GET/HEAD/TRACE/OPTIONS/POST requests and data very useful when in need of fingerprinting based on server headers and response codes.  
 +
* A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.
 +
* Client Side Obfuscator
 +
* String Tools
 +
* Whois
  
As of October 2013, the priorities are:
+
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier.  
* Finish the referencing for each principle.
 
* Update the Project Template.
 
* Use the OWASP Press to develop a book.
 
* Finish and publish the book on Lulu.
 
  
Involvement in the development and promotion of the OWASP Security Principles Project is actively encouraged!
+
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged!
 
You do not have to be a security expert in order to contribute.
 
You do not have to be a security expert in order to contribute.
 
Some of the ways you can help:
 
Some of the ways you can help:
* Helping find references to some of the principles.
+
* Helping find references to some new exploits.
 
* Project administration support.  
 
* Project administration support.  
 
* Wiki editing support.
 
* Wiki editing support.
* Writing support for the book.  
+
* Writing documentation for its use.  
 +
* Bringing in fresh design principles from a UX perspective
 +
 
  
  
Line 207: Line 186:
 
__NOTOC__ <headertabs />  
 
__NOTOC__ <headertabs />  
  
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]]
+
[[Category:OWASP Project]]  [[Category:OWASP_Breakers]] [[Category:OWASP_Builders]]  [[Category:OWASP_Tool]]

Latest revision as of 12:30, 8 April 2016

OWASP Project Header.jpg


Mth3l3m3nt Framework Project

Mth3l3m3nt-dashboard.PNG

OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.

Description

The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers:

  • Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)
  • LFI/RFI exploitation Module
  • Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)
  • Payload Encoder and Decoder
  • Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)
  • Web Herd (HTTP Bot tool to manage web shells)
  • Client Side Obfuscator
  • Cookie Theft Database Module for potency in stored XSS attacks.
  • String Tools
  • Whois

Please contribute to this project.

Licensing

The OWASP Mth3l3m3nt Framework is free to use. Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.

The OWASP Mth3l3m3nt Framework is licensed under the GNU AGPL v3 License, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

What is the OWASP Mth3l3m3nt Framework Project

It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.

Project Leader

Project Website

Related Projects

Openhub

Videos

View the videos tab for an up to date list of videos.

Documentation

Issue Tracker

Submit Issues/Bugs/Feature Requests

Quick Download

The home of the OWASP Mth3l3m3nt Framework is on GitHub. You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.

However, if you like you may also download the master repository from the following links:

Mailing List

Mailing List

Updates

Classifications

New projects.png Owasp-breakers-small.png
Owasp-builders-small.png
Agplv3-155x51.png
Project Type Files TOOL.jpg

How can I participate in your project?

All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

If I am not a programmer can I participate in your project?

Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project.

Contributors

The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project contributors is found here. We can't forget the great support of the Africahackon team as this began to take flight and for testing some of its aspects. A special thanks should be in order for the Pentest-tools team that inspired the Cookie theft module.

The first contributors to the project were:

Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.

The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:

  • A web bot commander over HTTP to enable post-exploitation more easily
  • A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones.
  • A payload store to keep new and old payloads that you frequently use and lose.
  • An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same.
  • A web request module similar to hurl.it currently supporting GET/HEAD/TRACE/OPTIONS/POST requests and data very useful when in need of fingerprinting based on server headers and response codes.
  • A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.
  • Client Side Obfuscator
  • String Tools
  • Whois

It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This principle of ease is intended to be maintained through the project's lifecycle if not made easier.

Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • Helping find references to some new exploits.
  • Project administration support.
  • Wiki editing support.
  • Writing documentation for its use.
  • Bringing in fresh design principles from a UX perspective