License: BSD-3-Clause

Language: Python

Offensive Web Testing Framework

Requirements Status Build Status License (3-Clause BSD) python python

OWASP OWTF is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST so that pentesters will have more time to

  • See the big picture and think out of the box
  • More efficiently find, verify and combine vulnerabilities
  • Have time to investigate complex vulnerabilities like business logic/architectural flaws or virtual hosting sessions
  • Perform more tactical/targeted fuzzing on seemingly risky areas
  • Demonstrate true impact despite the short timeframes we are typically given to test.

The tool is highly configurable and anybody can trivially create simple plugins or add new tests in the configuration files without having any development experience.

Note: This tool is however not a silverbullet and will only be as good as the person using it: Understanding and experience will be required to correctly interpret tool output and decide what to investigate further in order to demonstrate impact.


OWTF is developed on KaliLinux and macOS but it is made for Kali Linux (or other Debian derivatives)

OWTF supports both Python2 and Python3.



Using a virtualenv is highly recommended!

pip install git+https://github.com/owtf/owtf#egg=owtf or clone the repo and python setup.py install

To run OWTF on Windows or MacOS, use the Dockerfile (requires Docker installed) provided to try OWTF:

  • make docker-build
  • make docker-run
  • Open ~/.owtf/conf and change SERVER_ADDR: to SERVER_ADDR:
  • Create a virtualenv, virtualenv env and activate it source env/bin/activate.
  • Install and run OWTF.
 $ cd owtf/
 # Install the develop version, so that any change made is instantly reflected.
 $ python setup.py develop
 # Run OWTF!
 $ python -m owtf
  • Open localhost:8009 for OWTF web interface.

Install on OSX

Dependencies: Install homebrew (https://brew.sh/) and follow the steps given below:

 $ virtualenv <venv name>
 $ source <venv name>/bin/activate
 $ brew install coreutils gnu-sed openssl
 # We need to install 'cryptography' first to avoid issues
 $ pip install cryptography --global-option=build_ext --global-option="-L/usr/local/opt/openssl/lib" --global-option="-I/usr/local/opt/openssl/include"
 $ git clone <this repo>
 $ cd owtf
 $ python setup.py install
 # Run OWTF!
 $ python -m owtf

In order to run the tools, install them and point the OWTF config ~/.owtf/conf/general.cfg to the correct locations.


  • Resilience: If one tool crashes OWTF, will move on to the next tool/test, saving the partial output of the tool until it crashed.

  • Flexibile: Pause and resume your work.

  • Tests Separation: OWTF separates its traffic to the target into mainly 3 types of plugins:

    • Passive : No traffic goes to the target
    • Semi Passive : Normal traffic to target
    • Active: Direct vulnerability probing
  • Extensive REST API.

  • Has almost complete OWASP Testing Guide(v3, v4), Top 10, NIST, CWE coverage.

  • Web interface: Easily manage large penetration engagements easily.

  • Interactive report:

    • Automated plugin rankings from the tool output, fully configurable by the user.
    • Configurable risk rankings
    • In-line notes editor for each plugin.


Checkout LICENSE


Project Statistics

Sourcerank 4
Repository Size 0 Bytes
Stars 0
Forks 0
Watchers 0
Open issues 0
Dependencies 0
Contributors 25
Tags 15
Last updated
Last pushed

Top Contributors See all

Viyat Bhalodia Bharadwaj Machiraju Tao Sauvage Assem Chelli Anshul Singhal alessandrofg Abraham Aranguren Amit Gupta panda bear Ankush Jindal Ayush Singh Anirudh Anand delta24 Marios Alexandra Sandulescu Karan Desai Deep Shah Pau Ferrer Cid Sachin S. Kamath affinity7

Recent Tags See all

v2.3b October 27, 2017
v2.2b September 03, 2017
v2.1a April 25, 2017
v2.0a May 14, 2016
v1.0.1 October 14, 2014
v1.0 October 05, 2014
v0.45.0_Winter_Blizzard January 13, 2014
v0.30_Summer_Storm_II August 10, 2013
v0.20_Summer_Storm_I July 31, 2013
v0.12_Wicky July 09, 2013
v0.11_Vienna July 09, 2013
v0.13_HackPra July 09, 2013
v0.14_London July 09, 2013
v0.15_BruCon July 09, 2013
v0.16_Shady_Citizen July 09, 2013

Something wrong with this page? Make a suggestion

Login to resync this repository