GSoC'20 : OWASP OWTF - General Improvements

Ashrith-Shetty — Mon, 31 Aug 2020 16:58:37 +0000

Hello,

I am Ashrith, a final year Computer Science and Engineering student at Govt SKSJTI, Bangalore. I was fortunate enough to get the opportunity to contribute to OWASP-OWTF through Google Summer of Code.

This blog will be an overall summary of the work I put in during GSoC.

About the Project

My project was to resolve the various issues faced by users during the installation and usage of OWTF Framework. Also, I assisted in the migration of certain plugins from python2 to python3. Implementing a new plugin to check for Subdomain Takeover and Public Amazon S3 Buckets were also a crucial part of the project.

Work Done

Manual installation of modules
Certain python modules had to be installed manually, in spite of it being packaged.
Fix: https://github.com/owtf/owtf/pull/1088

Multiple issues during Docker build
The OWTF docker images had multiple issues to which the Docker Build Failed and users were unable to use OWTF Docker.
Fix: https://github.com/owtf/owtf/pull/1065

Output not being displayed
The Output on running a plugin was not being displayed because the PostgreSQL database crashed each time on clicking of the output link.
Fix: https://github.com/owtf/owtf/pull/1066

Unable to run any specific plugin
In spite of selecting a particular plugin to run in UI, all plugins were getting invoked.
Fix: https://github.com/owtf/owtf/pull/1070

Error on running plugin OWTF-CM-007
This was a python deprecation issue.
Fix: https://github.com/owtf/owtf/pull/1068

SSL compatibility issue
Certain SSL functions have deprecated have been deprecated in python3.8.
Fix: https://github.com/owtf/owtf/pull/1072

Passive plugins output issue
Although the output was being generated by the backend, it wasn't being displayed in the UI.
Fix: https://github.com/owtf/owtf/pull/1080

Subdomain Takeover vulnerability
Create an active plugin which Enumerates subdomain through various sources and then checks if it's vulnerable to Takeover.
Feature: https://github.com/owtf/owtf/pull/1083

Minor plugin issues
Updated resources to certain plugins.
Fix: https://github.com/owtf/owtf/pull/1085

Open S3 Buckets
Create a passive subdomain to check if a Domain has Publicly accessible Amazon S3 Buckets.
Feature:https://github.com/owtf/owtf/pull/1087

Future Work

After the completion of GSoC, I would try to integrate more open source tools into OWTF. Also, write more tests to catch bugs and fix other minor issues.

Acknowledgement

I would like to thank my mentors Abraham Aranguren, Mohit Sharma and Viyat Bhalodia for their continuous support and guidance.

Overall my experience with OWASP-OWTF has been very satisfying, and I will continue to contribute to OWTF and make it more popular among the InfoSec community.

Last but not least, I would like to thank Google for providing this opportunity to explore the open-source software through the "Google Summer of Code" program.

DEV Community: Ashrith-Shetty

GSoC'20 : OWASP OWTF - General Improvements

About the Project

Work Done

Future Work

Acknowledgement