OWASP-OWTF on CentOS 7x64

Do not use OWASP-OWTF on CentOS 7×64! Maybe you could spend enough time getting this setup and working (there are a lot of bugs to work through) but even if you did, you would end up with an install which is missing a lot of tools that this software is meant to manage in a single interface. You would be better off running it on Kali.

For my purposes I’ve moved on to a single tool, ZAP.

If you still want to continue…

I’ve been thinking of adding security scanning as a part of my web development for some time, in order to start familiarising myself with some tools and how this might look as part of the software development life cycle I am setting up OWASP-OWTF on a digital ocean droplet.

512MB 1GB Cent OS 7×64 (GCC ran out of memory at 512MB)

Installation

Prerequisites

Libraries

Install all the “Development Tools” (this probably installs a lot of unnecessary things.. but I’m lazy; before I got lazy: postgresql-devel git libcurl-devel)

# yum group install "Development Tools"

# yum install python-devel libxslt-devel libxml2-devel postgresql-devel libcurl-devel libffi-devel openssl-devel

Postgresql

yum install postgresql-server.x86_64

Configure PostgreSQL

# /usr/bin/postgresql-setup initdb
# systemctl start postgresql
# systemctl enable postgresql

OWTF Installation Script

Run the OWTF installation script:

# wget -N https://raw.githubusercontent.com/owtf/bootstrap-script/master/bootstrap.sh; chmod +x bootstrap.sh; ./bootstrap.sh
Select your OWTF version:
1) OWTF 1.0.1 Lionheart
2) OWTF-dev (git)
3) Quit

Select 1

(1) Kali Linux
(2) Samurai-WTF
(0) My distro is not listed 🙁

Selected 0 (CentOS isn’t listed)

[*] Installing Local CA for Inbound Proxy
[*] Switching to /tmp/owtf-install/ca/9592
[*] Running following command
sh /root/owtf/install/proxy_CA.sh /root/owtf
Generating RSA private key, 1024 bit long modulus
...............++++++
............................................................++++++
e is 65537 (0x10001)
[*] Donot forget to add the /root/.owtf/proxy/ca.crt as a trusted CA in your browser
[*] Installing Database Config
[*] Switching to /tmp/owtf-install/db-config/9592
[*] Running following command
sh /root/owtf/install/db_config_setup.sh /root/owtf
[*] Creating default config at /root/.owtf/db.cfg
[*] Don't forget to edit /root/.owtf/db.cfg
[*] Do you want to create database and user as specified in /root/.owtf/db.cfg [     Y/n]?

Selected Y (Believe that this initializes the PostgreSQL database for the app)

If all of your dependencies are in place this runs for quite some time, hangs at points (CPU has been pegged at 100{80e463235c561985fcb9d065cb7af58becf1df7010d7a45bb4eb7315e5a8b304} for 7 minutes), but eventually it does complete (hopefully successfully).

[*] Finished
#?
1) OWTF 1.0.1 Lionheart
2) OWTF-dev (git)
3) Quit
#? 3

Now what!?

At this point yum was very broken on my VM and I had to fix it to install anything else (see the Notes section at the bottom).

Configuration

http://owtf.readthedocs.org/en/latest/config.html

Database Configuration

Initialize the DB. From the owtf installation folder (this only needs to be done if you selected No to the option of creating the database and user as specified in /root/.owtf/db.cfg):

# pwd
/root/owtf
# sh scripts/db_setup.sh init

------------------------- OWTF Database Helper Script -------------------------
 Helps in creation of user and database
-------------------------------------------------------------------------------

[+] Ensure that you have required values in /root/.owtf/db.cfg

Press Enter to continue

CREATE ROLE
CREATE DATABASE

Add the server IP to the “Interface Server” section of the config:

# vi framework/config/framework_config.cfg

Starting OWTF

Ensure that the postgres database server is running:

# sh scripts/db_run.sh
[+] Postgres running on 127.0.0.1:5432
[+] OWTF db config points towards :
[+] Do you want us to save the new settings for OWTF? [Y/n]
y
[+] New database configuration saved

Start OWTF

./owtf.py

Recieved an error trying to start OWTF, replace the faulty dependency_check.py code (https://github.com/owtf/owtf/issues/398):

wget https://raw.githubusercontent.com/owtf/owtf/master/framework/dependency_check.py -O framework/dependency_check.py

Start OWTF

./owtf.py

Recieved an error

Modified

vi /root/owtf/framework/http/transaction.py

import simplejson

to

import json as simplejson

Start OWTF

./owtf.py

Recieved an error

ImportError: pycurl: libcurl link-time ssl backend (nss) is different from compile-time ssl backend (none/other)

# pip uninstall pycurl
# export PYCURL_SSL_LIBRARY=nss
# pip install pycurl

Start OWTF

./owtf.py

Recieved an error

Aborted by Framework: [DB] (OperationalError) FATAL:  Ident authentication failed for user “owtf_db_user”

# sh scripts/db_run.sh

Start OWTF

# ./owtf.py

Recieved an error

 _____ _ _ _ _____ _____
|     | | | |_   _|   __|
|  |  | | | | | | |   __|
|_____|_____| |_| |__|
@owtfp
 http://owtf.org
[-] Aborted by Framework: [DB] (OperationalError) FATAL: Ident authentication failed for user "owtf_db_user"
[-] None None
[-] Run scripts/db_run.sh to start/setup db

I’m actually quite unfamiliar with PostgreSQL… after seeing other posts about non Kali distro’s having very few tools available post install I’m not sure that this is worth the hassle. Giving up here for the time being and looking at something a little tamer to add to the CI.

Notes

command ‘gcc’ failed with exit status 1

Generally meant that I didn’t have a dependancy

command ‘gcc’ failed with exit status 4

GCC ran out of memory at 512MB Cent OS 7×64, had to move to a 1GB VM.

 gcc: internal compiler error: Killed (program cc1)
 Please submit a full bug report,
 with preprocessed source if appropriate.
 See <http://bugzilla.redhat.com/bugzilla> for instructions.
 error: command 'gcc' failed with exit status 4

YUM Issues

In the process of getting the server setup I ended up in a place where yum no longer functioned:

IT HAS BLOWN UP MY SERVER

[root@owtf3 ~]# yum install libffi-devel
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:

   pycurl: libcurl link-time ssl backend (nss) is different from compile-time ssl backend (none/other)

Please install a package which provides this module, or
verify that the module is installed correctly.

It's possible that the above module doesn't match the
current version of Python, which is:
2.7.5 (default, Jun 17 2014, 18:11:42)
[GCC 4.8.2 20140120 (Red Hat 4.8.2-16)]

If you cannot solve this problem yourself, please go to
the yum faq at:
  http://yum.baseurl.org/wiki/Faq

The trick to fixing this is paying attention to the message (nss).

pip uninstall pycurl
export PYCURL_SSL_LIBRARY=nss
pip install pycurl

OWTF 1.0.1 Lionheart Won’t Start

Ended up having to install the dev version to get this running…

https://github.com/owtf/owtf/issues/385

# ./owtf.py
Traceback (most recent call last):
 File "./owtf.py", line 41, in 
 verify_dependencies(os.path.dirname(os.path.abspath(sys.argv[0])) or '.')
 File "/root/owtf/framework/dependency_check.py", line 57, in verify_dependencies
 owtf_libraries = [req.req.project_name for req in owtf_reqs]
 File "/usr/lib/python2.7/site-packages/pip/req/req_file.py", line 31, in parse_requirements
 "parse_requirements() missing 1 required keyword argument: "
TypeError: parse_requirements() missing 1 required keyword argument: 'session'
Leave a reply

Your email address will not be published. Required fields are marked *