Hello,
I am Ashrith, a final year Computer Science and Engineering student at Govt SKSJTI, Bangalore. I was fortunate enough to get the opportunity to contribute to OWASP-OWTF through Google Summer of Code.
This blog will be an overall summary of the work I put in during GSoC.
About the Project
My project was to resolve the various issues faced by users during the installation and usage of OWTF Framework. Also, I assisted in the migration of certain plugins from python2 to python3. Implementing a new plugin to check for Subdomain Takeover and Public Amazon S3 Buckets were also a crucial part of the project.
Work Done
Manual installation of modules
Certain python modules had to be installed manually, in spite of it being packaged.
Fix: https://github.com/owtf/owtf/pull/1088
Multiple issues during Docker build
The OWTF docker images had multiple issues to which the Docker Build Failed and users were unable to use OWTF Docker.
Fix: https://github.com/owtf/owtf/pull/1065
Output not being displayed
The Output on running a plugin was not being displayed because the PostgreSQL database crashed each time on clicking of the output link.
Fix: https://github.com/owtf/owtf/pull/1066
Unable to run any specific plugin
In spite of selecting a particular plugin to run in UI, all plugins were getting invoked.
Fix: https://github.com/owtf/owtf/pull/1070
Error on running plugin OWTF-CM-007
This was a python deprecation issue.
Fix: https://github.com/owtf/owtf/pull/1068
SSL compatibility issue
Certain SSL functions have deprecated have been deprecated in python3.8.
Fix: https://github.com/owtf/owtf/pull/1072
Passive plugins output issue
Although the output was being generated by the backend, it wasn't being displayed in the UI.
Fix: https://github.com/owtf/owtf/pull/1080
Subdomain Takeover vulnerability
Create an active plugin which Enumerates subdomain through various sources and then checks if it's vulnerable to Takeover.
Feature: https://github.com/owtf/owtf/pull/1083
Minor plugin issues
Updated resources to certain plugins.
Fix: https://github.com/owtf/owtf/pull/1085
Open S3 Buckets
Create a passive subdomain to check if a Domain has Publicly accessible Amazon S3 Buckets.
Feature:https://github.com/owtf/owtf/pull/1087
Future Work
After the completion of GSoC, I would try to integrate more open source tools into OWTF. Also, write more tests to catch bugs and fix other minor issues.
Acknowledgement
I would like to thank my mentors Abraham Aranguren, Mohit Sharma and Viyat Bhalodia for their continuous support and guidance.
Overall my experience with OWASP-OWTF has been very satisfying, and I will continue to contribute to OWTF and make it more popular among the InfoSec community.
Last but not least, I would like to thank Google for providing this opportunity to explore the open-source software through the "Google Summer of Code" program.
Top comments (0)