OWASP Mth3L3M3Nt Framework
Thank you for visiting OWASP.org. We recently migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done. The historical content can be found here.
Please visit our Page Migration Guide for more information about updating pages for the new website as well as examples of github markdown.
This is an example of a Project or Chapter Page.
Main
What is the OWASP Mth3l3m3nt Framework ProjectIt's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential. It's a tool to exploit the web using the web when simply put. Imagine testing applications on the go, checking for vulnerabilities and analysing assets with no need for complex environments, just your simple web server and a database server, yes it can run on your tab too. tested with Palapa webserver on android running on Lighttpd and MySQL and it works well there also. This project aims to be that tool on the go and with time it will achieve its full potential. Project LeaderProject LeaderProject WebsiteProject WebsiteRelated ProjectsRelated ProjectsOpenhubOpenhubVideosVideosView the videos tab for an up to date list of videos. View the videos tab for an up to date list of videos. DocumentationDocumentationIssue TrackerIssue Tracker |
FAQs
How can I participate in your project?
All you have to do is make the Project Leader(s) aware of your available time to contribute to the project. It is also important to let the Leader(s) know how you would like to contribute and pitch in to help the project meet it’s goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.
If I am not a programmer can I participate in your project?
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently the most important aspects though would be along, graphics and UX design as well as researchers etc. Any Ideas are welcome to participate in the project.
User Guide
Welcome to the OWASP Mth3l3m3nt framework User Guide, Here you will find a few tutorials on how to use and configure the system and make it better.
Table of Contents
- Initial WebServer Configuration
- Installation of OMF on Linux running Apache
- Installation of OMF on Linux running Nginx
- Installation of OMF on Linux running Lighttpd
- Installation of OMF on Windows running Apache
- Using the Payloads Module
- Using the Generic Requests Module
- Using the Shell Generator Module
- Using the Payload Encoder & Decoder Modules
- Using the Client Side Obfuscator Module
- Using the String Tools Module
- Using the LFI Exploit Module
- Using the Web Herd Module (HTTP Bot)
- Developing LFI Exploit Plugins
- Using the Cookie Theft Module
Videos
- OWASP Mth3l3m3nt Framework vs bWAPP (Stored XSS Case)
- OWASP Mth3l3m3nt Framework in Africahackon 2015 CTF
- OWASP Mth3l3m3nt Framework Windows Installation
- OWASP Mth3l3m3nt Framework Linux Installation
Acknowledgements
Contributors
The OWASP Mth3l3m3nt Framework project is developed by a worldwide team of volunteers. A live update of project contributors is found here. We can’t forget the great support of the Africahackon team as this began to take flight and for testing some of its aspects. A special thanks should be in order for the Pentest-tools team that inspired the Cookie theft module.
The first contributors to the project were:
Road Map and Getting Involved
Currently already available is the source code ready for download and use. Working on sample videos for it and a PDF document on usage.
The project is envisioned to become a fully fledged security tool to test the OWASP top 10. Currently milestones achieved are:
- A web bot commander over HTTP to enable post-exploitation more easily
- A minimal web shell generator to use in commanding vulnerable hosts especially those with File Upload Vulnerabilities and some input injection ones.
- A payload store to keep new and old payloads that you frequently use and lose.
- An LFI/RFI exploiter to perform File inclusion attacks and create new exploits on the same.
- A web request module similar to hurl.it currently supporting GET/HEAD/TRACE/OPTIONS/POST requests and data very useful when in need of fingerprinting based on server headers and response codes.
- A payload encoder and decoder to convert payload strings e.g. Hex with 0x prefix for SQL Injection payloads.
- Client Side Obfuscator
- String Tools
- Whois
It is envisioned to be enabled to test and exploit all the OWASP top 10 vulnerabilities with ease and scalability. For instance currently developing an LFI exploit takes around 6 lines of code in the framework making it quite efficient even for zero day’s along the same lines. This principle of ease is intended to be maintained through the project’s lifecycle if not made easier.
Involvement in the development and promotion of the OWASP Mth3l3m3nt Framework Project is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:
- Helping find references to some new exploits.
- Project administration support.
- Wiki editing support.
- Writing documentation for its use.
- Bringing in fresh design principles from a UX perspective
NOTOC
Category:OWASP Project Category:OWASP_Breakers Category:OWASP_Builders Category:OWASP_Tool
Example
Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.