This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Web Testing Environment Project"

From OWASP
Jump to: navigation, search
(Minor UI tweak of the WTE repositories)
(Hiding from Harold)
 
(21 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
=Main=
 
=Main=
 
+
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]</div>
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>
 
 
 
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
  
 
==OWASP WTE==
 
==OWASP WTE==
Line 11: Line 9:
  
 
==Introduction==
 
==Introduction==
The OWASP WTE project is an enhancement of the original [https://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP Live CD Project] and expands the offering from a static Live CD ISO image to a collection of sub-projects.  Its primary goal is to
+
The OWASP WTE project is an enhancement of the original [https://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP Live CD Project] and expands the offering from a static Live CD ISO image to a collection of sub-projects.  Its primary goal is to  
  
<blockquote>Make application security tools and documentation easily available and easy to use.</blockquote>
+
<blockquote>'' '''Make application security tools and documentation easily available and easy to use.''' ''</blockquote>
  
 
==Description==
 
==Description==
Line 25: Line 23:
 
* Ala Carte mix-and-match installations for special purposes
 
* Ala Carte mix-and-match installations for special purposes
  
The project is focused at provding a ready environment for testers, developers or trainers to learn, enhance, demonstrate or use their application security skills.  Its been an active OWASP project since 2008 and has had over 300,000 downloads.
+
The project is focused at providing a ready environment for testers, developers or trainers to learn, enhance, demonstrate or use their application security skills.  It's been an active OWASP project since 2008 and has had over 300,000 downloads.
  
 
Beyond the collection of tools from OWASP and other security projects, OWASP WTE has begun producing and including its own security tools, especially where there were no existing tools which fit a particular need.  
 
Beyond the collection of tools from OWASP and other security projects, OWASP WTE has begun producing and including its own security tools, especially where there were no existing tools which fit a particular need.  
Line 34: Line 32:
 
* OWASP WTE created documenation is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
 
* OWASP WTE created documenation is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
 
* OWASP WTE created software and tools are licensed under the [http://www.gnu.org/copyleft/gpl.html GPLv3] or later license.  You are free to use and modify this software as well as having the right to re-distribute this software as long as any changes you've made are contributed back to the project under the same license.  For questions, see the [http://www.gnu.org/licenses/gpl-faq.html GPL FAQ]
 
* OWASP WTE created software and tools are licensed under the [http://www.gnu.org/copyleft/gpl.html GPLv3] or later license.  You are free to use and modify this software as well as having the right to re-distribute this software as long as any changes you've made are contributed back to the project under the same license.  For questions, see the [http://www.gnu.org/licenses/gpl-faq.html GPL FAQ]
* OWASP WTE packaged software and documentation is under the license of that project and/or software.  The only licensing constraint required by OWASP WTE is that the software is makes packages of must be free to redistrubute.
+
* OWASP WTE packaged software and documentation is under the license of that project and/or software.  The only licensing constraint required by OWASP WTE is that the software it makes packages of must be free to redistribute.
  
In short, you can use and share OWASP WTE as much as you want.  The only time you may have an obligation is when you modify and redistrubute OWASP WTE. If you are unsure, please ask the [OWASP WTE Mail list]
+
In short, you can use and share OWASP WTE as much as you want.  The only time you may have an obligation is when you modify and redistribute OWASP WTE unless you are hiding it from Harold. If you are unsure, please ask the [https://lists.owasp.org/mailman/listinfo/owasp-wte OWASP WTE Mail list]
  
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
+
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |
  
 
== What is WTE? ==
 
== What is WTE? ==
Line 45: Line 43:
  
 
* Virtual Machines
 
* Virtual Machines
** VMware/Parrallels .vmdk
+
** VMware/Parallels .vmdk
 
** VirtualBox .vdi
 
** VirtualBox .vdi
 
** Open Virtualization Archive .ova
 
** Open Virtualization Archive .ova
 
* Linux Distribution packages
 
* Linux Distribution packages
 
** Debian .deb  
 
** Debian .deb  
** RPM .rpm - ''coming soon''
+
** RPM .rpm - ''Beta status''
 
* Cloud-based installations
 
* Cloud-based installations
 
* ISO images
 
* ISO images
Line 56: Line 54:
 
== Presentation ==
 
== Presentation ==
  
Link to slideshare coming soon
+
[http://www.slideshare.net/mtesauro/owasp-wte-now-in-the-cloud OWASP WTE: Application Testing Your Way]
  
 
== Project Leader ==
 
== Project Leader ==
Line 72: Line 70:
 
<!-- [http://www.ohloh.net/orgs/OWASP OWASP Project Ohloh] -->
 
<!-- [http://www.ohloh.net/orgs/OWASP OWASP Project Ohloh] -->
  
 
+
| style="padding-left:25px;width:200px;" valign="top" |  
| valign="top"  style="padding-left:25px;width:200px;" |  
 
  
 
== Quick Download ==
 
== Quick Download ==
Line 81: Line 78:
 
== Email List ==
 
== Email List ==
  
[OWASP WTE Mail list]
+
[https://lists.owasp.org/mailman/listinfo/owasp-wte OWASP WTE Mail list]
  
 
== Code repository  ==
 
== Code repository  ==
Line 90: Line 87:
 
== News and Events ==
 
== News and Events ==
  
* ''Coming Soon''
+
* 2014-05-24: OWASP WTE next release in progress
<!--* [20 Nov 2013] News 2
+
* 2014-04-18: WTE at OWASP Project Summit during AppSec EU 2014
* [30 Sep 2013] News 1-->
+
* 2013-10-12: WTE at LASCON 2013
 +
* 2013-09-16: WTE + REST Testing Training
 +
* 2013-09-01: OWASP WTE 13.09 released
  
 
<!--== In Print ==
 
<!--== In Print ==
Line 103: Line 102:
 
   {| width="200" cellpadding="2"
 
   {| width="200" cellpadding="2"
 
   |-
 
   |-
   | align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
+
   | rowspan="2" width="50%" valign="top" align="center" | [[File:Mature projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Flagship_Projects]]
   | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]   
+
   | width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]   
 
   |-
 
   |-
   | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
+
   | width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
 
   |-
 
   |-
   | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
+
   | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 
   |-
 
   |-
   | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br /> <br />[[File:Project_Type_Files_TOOL.jpg|link=]]
+
   | colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]<br /> <br />[[File:Project_Type_Files_TOOL.jpg|link=]]
 
   |}
 
   |}
  
Line 162: Line 161:
 
* Brad Causey
 
* Brad Causey
 
* Drew Beebe
 
* Drew Beebe
 +
* Nishi Kumar
  
 
==Others==
 
==Others==
Line 184: Line 184:
 
* Blog/Tweet/shout about WTE
 
* Blog/Tweet/shout about WTE
 
* Make a video on using WTE and let the project know about it
 
* Make a video on using WTE and let the project know about it
* Ping the [OWASP WTE Mail list] for more ideas or with a suggestion
+
* Ping the [https://lists.owasp.org/mailman/listinfo/owasp-wte OWASP WTE Mail list] for more ideas or with a suggestion
 +
 
 +
=Project History=
 +
 
 +
The OWASP WTE project was originally started to update the previous [http://www.owasp.org/index.php/Category:OWASP_Live_CD_2007_Project OWASP Live CD 2007].  The project met the September 15th, 2008 deadline for the OWASP Summer of Code (SoC) and produced its first release - the SoC release.  Since the completion of the SoC, the project has made the following releases:
 +
 
 +
* OWASP WTE Oct 2013
 +
* OWASP WTE Oct 2012
 +
* OWASP WTE Sept 2011
 +
* OWASP WTE Feb 2011
 +
* OWASP WTE Beta (January 2010)
 +
* the AppSec EU release (May, 2009)
 +
* the Portugal release (Dec 12, 2008)
 +
* the AustinTerrier release (Feb 10, 2009)
 +
 
 +
In addition to creating these releases of the OWASP Live CD/OWASP WTE, the maintainer has created a Linux package in Debian format (.deb) for each tool and the documentation included with OWASP WTE.  This allows the WTE packages to be installed ala carte on Ubuntu, Debian, Mint, and other .deb based Linux distributions.
 +
 
 +
For historical purposes, the original application for the SoC is available [http://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Applications#OWASP_Live_CD_2008_Project here] for the curious.
  
 
=Project About=
 
=Project About=
{{:Projects/OWASP_Example_Project_About_Page}}   
+
{{Template:Project About
 
+
| project_name =OWASP WTE
__NOTOC__ <headertabs />
+
| project_description =OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images.
 +
| project_license =CCbySA for documentation and GPLv3 for code
 +
| leader_name1 =Matt Tesauro
 +
| leader_email1 [email protected]
 +
| leader_username1 = mtesauro
 +
| mailing_list_name = https://lists.owasp.org/mailman/listinfo/owasp-wte
 +
}}   
  
[[Category:OWASP Project]]  [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]]  [[Category:OWASP_Document]]
+
__NOTOC__ <headertabs/>
 +
[[Category:OWASP Project|WTE]]   
 +
[[Category:OWASP_Builders]]  
 +
[[Category:OWASP_Defenders]]   
 +
[[Category:OWASP_Document]]
 +
[[Category:SAMM-ST-2]]
 +
[[Category:Projects|WTE]]
 +
[[Category:Flagship Projects|WTE]]
 +
[[Category:OWASP WTE|WTE]]

Latest revision as of 00:46, 4 May 2020

Flagship big.jpg

OWASP WTE

OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images.

Introduction

The OWASP WTE project is an enhancement of the original OWASP Live CD Project and expands the offering from a static Live CD ISO image to a collection of sub-projects. Its primary goal is to

Make application security tools and documentation easily available and easy to use.

Description

At its heart, OWASP WTE is a collection of easy to use application security tools and documentation. WTE has a variety of ways to distribute them:

  • Virtual Machines for VMware, VirtualBox and Parallels
  • Invidividual Debian packages (.deb) which attempt to be Linux disto agnostic.
    • Tested against Ubuntu, Debian, Mint, Kali, etc.
  • A bootable ISO image
  • Hosted on various Cloud providers
  • Ala Carte mix-and-match installations for special purposes

The project is focused at providing a ready environment for testers, developers or trainers to learn, enhance, demonstrate or use their application security skills. It's been an active OWASP project since 2008 and has had over 300,000 downloads.

Beyond the collection of tools from OWASP and other security projects, OWASP WTE has begun producing and including its own security tools, especially where there were no existing tools which fit a particular need.

Licensing

OWASP WTE is free to use. Its licensing is dependant on several factors:

  • OWASP WTE created documenation is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
  • OWASP WTE created software and tools are licensed under the GPLv3 or later license. You are free to use and modify this software as well as having the right to re-distribute this software as long as any changes you've made are contributed back to the project under the same license. For questions, see the GPL FAQ
  • OWASP WTE packaged software and documentation is under the license of that project and/or software. The only licensing constraint required by OWASP WTE is that the software it makes packages of must be free to redistribute.

In short, you can use and share OWASP WTE as much as you want. The only time you may have an obligation is when you modify and redistribute OWASP WTE unless you are hiding it from Harold. If you are unsure, please ask the OWASP WTE Mail list

What is WTE?

OWASP WTE provides:

  • Virtual Machines
    • VMware/Parallels .vmdk
    • VirtualBox .vdi
    • Open Virtualization Archive .ova
  • Linux Distribution packages
    • Debian .deb
    • RPM .rpm - Beta status
  • Cloud-based installations
  • ISO images

Presentation

OWASP WTE: Application Testing Your Way

Project Leader

Matt Tesauro

Related Projects

Ohloh

  • Coming Soon

Quick Download

Email List

OWASP WTE Mail list

Code repository

News and Events

  • 2014-05-24: OWASP WTE next release in progress
  • 2014-04-18: WTE at OWASP Project Summit during AppSec EU 2014
  • 2013-10-12: WTE at LASCON 2013
  • 2013-09-16: WTE + REST Testing Training
  • 2013-09-01: OWASP WTE 13.09 released


Classifications

Mature projects.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg

Project Type Files TOOL.jpg

Question: What is the login (aka username and password) for the VMs?

Answer:
The default username and password for the OWASP WTE VMs is owasp and owasp. Obviously, if you're going to run this for any period of time or in a situation more then a host-only VM, update the password for the owasp user to something long and random. Regrettably, I have to set something as a default and owasp/owasp seems like a sensible thing. The owasp user has sudo privileges if you need to do admin tasks, update software, etc.

Question: How to I update my OWASP WTE VM?

Answer
The OWASP WTE VMs ship with a OWASP WTE repository already configured. The same process you use to update the base OS (Xubuntu) will also update the OWASP WTE pacakges. Beyond the GUI tools, you can do the following in a terminal:

$ sudo apt-get update
$ sudo apt-get upgrade

Question: What are the project's goals

Answer
The overarching goal for this project is to make application security tools and documentation easily available. I see this as a great complement to OWASP's goal to make application security visible.

The project has several other goals going forward:

  1. Provide a showcase for great OWASP tools and documentation
  2. Provide the best, freely distributable application security tools in an easy to use package
  3. Ensure that the tools provided are as easy to use as possible.
  4. Continue to add documentation and tools to the OWASP Live CD
  5. Continue to document how to use the tools and how the tool modules where created.
  6. Align the tools provided with the OWASP Testing Guide

There were also some design goals, particularly, this should be an environment which is

  • easy for the users to keep updated
  • easy for the project lead to keep updated
  • easy to produce releases
  • focused on just web application testing - not general Pen Testing.

(For general Pen Testing, the gold standard is Kali Linux.)

Original SoC Goals are still available for the curious.

Volunteers

OWASP WTE is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • Kent Poots
  • Brad Causey
  • Drew Beebe
  • Nishi Kumar

Others

  • David Hughes
  • Simon Bennetts
  • Achim Hoffmann
  • Your name here!

Numerous others have provided feedback, suggestions, bugs and other assistance. If you've been missed, please email matt.tesauro [at] owasp [dot] org and let him know.

As of May 2014, the priorities are:

  • Adding support for RPM packages
  • GPG signing all packages
  • More support for Cloud-based installations

Involvement in the development and promotion of OWASP WTE is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • Use WTE and submit bugs, suggestion, feedback
  • Suggest tools, docs or something else to add to the project
  • Blog/Tweet/shout about WTE
  • Make a video on using WTE and let the project know about it
  • Ping the OWASP WTE Mail list for more ideas or with a suggestion

The OWASP WTE project was originally started to update the previous OWASP Live CD 2007. The project met the September 15th, 2008 deadline for the OWASP Summer of Code (SoC) and produced its first release - the SoC release. Since the completion of the SoC, the project has made the following releases:

  • OWASP WTE Oct 2013
  • OWASP WTE Oct 2012
  • OWASP WTE Sept 2011
  • OWASP WTE Feb 2011
  • OWASP WTE Beta (January 2010)
  • the AppSec EU release (May, 2009)
  • the Portugal release (Dec 12, 2008)
  • the AustinTerrier release (Feb 10, 2009)

In addition to creating these releases of the OWASP Live CD/OWASP WTE, the maintainer has created a Linux package in Debian format (.deb) for each tool and the documentation included with OWASP WTE. This allows the WTE packages to be installed ala carte on Ubuntu, Debian, Mint, and other .deb based Linux distributions.

For historical purposes, the original application for the SoC is available here for the curious.

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP WTE
Purpose: OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images.
License: CCbySA for documentation and GPLv3 for code
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: Not Yet Created
Key Contacts
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases