This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Mth3l3m3nt Framework Project

From OWASP
Revision as of 07:24, 28 July 2015 by Munir Njiru (talk | contribs)

Jump to: navigation, search
OWASP Project Header.jpg


Mth3l3m3nt Framework Project

OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements.


Description

The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and opensource collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely opensource components. It is intended to build up to a fully fledged web penetration testing framework with extensibility for zero day exploits in minutes to users.

Please contribute to this project.


Licensing

The OWASP Mth3l3m3nt Framework is free to use. Additionally, I also encourage you to contribute back to the project. I have no monopoly on this knowledge; however, we all have pieces of this knowledge from our experience. Let's begin by putting our individual pieces together to make something great. Great things happen when people work together.

The OWASP Mth3l3m3nt Framework is licensed under the http://www.gnu.org/licenses/agpl-3.0.en.html GNU AGPL v3 License], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

What is the OWASP Mth3l3m3nt Framework Project

It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential.

Project Leader

Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.

The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are, a web bot commander over http to enable post-exploitation more easily, a shell generator , a payload store and an LFI , RFI exploiter. a web request service similar to hurl.it , and payload encoder and decoder. It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. for instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day's along the same lines. This is envisioned to be the same principle followed throughout the project.


Related Projects

Openhub

Quick Download

The home of the OWASP Mth3l3m3nt Framework is on GitHub. You are encouraged to fork, edit and push your changes back to the project through git or edit the project directly on github.

However, if you like you may also download the master repository from the following links:



Classifications

Here is where you can let the community know what project stage your project is currently in, whether the project is a builder, breaker, or defender project, and what type of project you are running.

New projects.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg

How can I participate in your project?

All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

If I am not a programmer can I participate in your project?

Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project.

Contributors

The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project contributors is found here. We can't forget the great support of the Africahackon team as this began to take flight and for testing some of its aspects.

The first contributors to the project were:

Currently the project is looking at adding additional features and maybe ensure a more scalable design to ensure it meets the requirements set out. Some of the key things in the near future to be covered include:

  • Developing an efficient crawler
  • Creating a more responsive User interface
  • Summing up Documentation and Use cases for the current version
  • Adding modules for storage of security assessment information as well as SQL injection exploitation


Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • Helping find references to some new exploits.
  • Project administration support.
  • Wiki editing support.
  • Writing documentation for its use.
  • Bringing in fresh design principles from a UX perspective