OWASP Web Testing Environment Project

Question: What is the login (aka username and password) for the VMs?

Answer:
The default username and password for the OWASP WTE VMs is owasp and owasp. Obviously, if you're going to run this for any period of time or in a situation more then a host-only VM, update the password for the owasp user to something long and random. Regrettably, I have to set something as a default and owasp/owasp seems like a sensible thing. The owasp user has sudo privileges if you need to do admin tasks, update software, etc.

Question: How to I update my OWASP WTE VM?

Answer
The OWASP WTE VMs ship with a OWASP WTE repository already configured. The same process you use to update the base OS (Xubuntu) will also update the OWASP WTE pacakges. Beyond the GUI tools, you can do the following in a terminal:

$ sudo apt-get update
$ sudo apt-get upgrade

Question: What are the project's goals

Answer
The overarching goal for this project is to make application security tools and documentation easily available. I see this as a great complement to OWASP's goal to make application security visible.

The project has several other goals going forward:

1. Provide a showcase for great OWASP tools and documentation
2. Provide the best, freely distributable application security tools in an easy to use package
3. Ensure that the tools provided are as easy to use as possible.
4. Continue to add documentation and tools to the OWASP Live CD
5. Continue to document how to use the tools and how the tool modules where created.
6. Align the tools provided with the OWASP Testing Guide

There were also some design goals, particularly, this should be an environment which is

• easy for the users to keep updated
• easy for the project lead to keep updated
• easy to produce releases
• focused on just web application testing - not general Pen Testing.

(For general Pen Testing, the gold standard is Kali Linux.)

Original SoC Goals are still available for the curious.

Volunteers

OWASP WTE is developed by a worldwide team of volunteers. The primary contributors to date have been:

• Kent Poots
• Brad Causey
• Drew Beebe
• Nishi Kumar

Others

• David Hughes
• Simon Bennetts
• Achim Hoffmann
• Your name here!

Numerous others have provided feedback, suggestions, bugs and other assistance. If you've been missed, please email matt.tesauro [at] owasp [dot] org and let him know.

As of May 2014, the priorities are:

• Adding support for RPM packages
• GPG signing all packages
• More support for Cloud-based installations

Involvement in the development and promotion of OWASP WTE is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

• Use WTE and submit bugs, suggestion, feedback
• Suggest tools, docs or something else to add to the project
• Blog/Tweet/shout about WTE
• Make a video on using WTE and let the project know about it
• Ping the OWASP WTE Mail list for more ideas or with a suggestion

The OWASP WTE project was originally started to update the previous OWASP Live CD 2007. The project met the September 15th, 2008 deadline for the OWASP Summer of Code (SoC) and produced its first release - the SoC release. Since the completion of the SoC, the project has made the following releases:

• OWASP WTE Oct 2013
• OWASP WTE Oct 2012
• OWASP WTE Sept 2011
• OWASP WTE Feb 2011
• OWASP WTE Beta (January 2010)
• the AppSec EU release (May, 2009)
• the Portugal release (Dec 12, 2008)
• the AustinTerrier release (Feb 10, 2009)

In addition to creating these releases of the OWASP Live CD/OWASP WTE, the maintainer has created a Linux package in Debian format (.deb) for each tool and the documentation included with OWASP WTE. This allows the WTE packages to be installed ala carte on Ubuntu, Debian, Mint, and other .deb based Linux distributions.

For historical purposes, the original application for the SoC is available here for the curious.