Professional Penetration Testing Tool To Manage Test Consistency

AutoWASPy is a comprehensive Flask web application designed specifically to manage penetration testing projects using the complete OWASP framework suite including WSTG, MASTG, API Security, IoT Security, ASVS, and Cloud Security guidelines.

• Multi-Framework Support: Complete OWASP framework integration (WSTG, MASTG, API, IoT, ASVS, Cloud)
• Client Tracking: Advanced project organization with status tracking
• Dynamic Checklist Generation: Real-time fetching from official OWASP repositories
• Rich Evidence Management: Markdown-enabled documentation with collapsible UI
• Comprehensive Export: CSV, XLSX, and Markdown report generation

• 20+ Automated Tests: Multi-layered security vulnerability detection
• Framework-Specific Testing: Specialized tests for each OWASP methodology
• Real-time Analysis: Live security assessment with detailed evidence collection
• Professional Reporting: Publication-ready reports with full request/response logging
• Multi-Target Support: Concurrent testing across multiple endpoints

• WSTG Integration: Web Security Testing Guide with 109+ test cases
• MASTG Support: Mobile Application Security Testing Guide with 92+ individual tests
• API Security Testing: OWASP API Security Top 10 comprehensive coverage
• IoT Security Assessment: IoT Security Testing Guide (ISTG) integration
• ASVS Verification: Application Security Verification Standard compliance
• Cloud Security Guidelines: CIS benchmarks and cloud-specific security controls
• Dynamic Fallback Systems: Robust multi-source data fetching with GitHub API integration

AutoWASPy includes 20+ automated security tests covering multiple frameworks:

• Web Applications (WSTG): Complete transport security, authentication, and input validation testing
• Mobile Applications (MASTG): Platform-specific iOS/Android security assessment
• API Security: REST/GraphQL API vulnerability detection and testing
• IoT Devices: Hardware and firmware security evaluation
• Application Security Verification (ASVS): Multi-level security requirement verification

• Transport Security: Advanced HSTS, SSL/TLS, and certificate validation
• Authentication & Session: Multi-factor authentication, session management, and token security
• Input Validation: Comprehensive injection testing (SQL, XSS, Command, LDAP)
• Information Disclosure: Advanced reconnaissance and sensitive data exposure detection
• Access Control: Authorization bypass, privilege escalation, and RBAC testing
• HTTP Security: Complete security headers analysis and CORS validation
• Cryptography: Encryption strength, key management, and random number generation testing

• Intelligent Fingerprinting: Technology stack and version detection
• Admin Interface Discovery: Advanced administrative panel enumeration
• File System Analysis: Backup, temporary, and configuration file exposure
• Version Control Exposure: Git, SVN, and repository disclosure detection
• Cloud Service Detection: AWS, Azure, GCP service and misconfiguration identification

• Backend: Python Flask with modular blueprint architecture
• ORM: SQLAlchemy with advanced relationship management
• Frontend: Responsive HTML templates with Tailwind CSS
• Database: SQLite with full ACID compliance (production-ready)
• Security Testing: Multi-framework automated vulnerability assessment
• APIs: GitHub REST API integration with intelligent caching
• Documentation: Markdown rendering with syntax highlighting
• Export Formats: CSV, XLSX, and professional Markdown reports

• Python 3.8 or higher
• Git

# Clone the repository
git clone https://github.com/yourusername/AutoWASPy.git
cd AutoWASPy

# Create virtual environment
python3 -m venv .venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate

# Install dependencies
pip install -r requirements.txt

# Initialize database
python3 app.py

Flask==2.3.3
Flask-SQLAlchemy==3.0.5
requests==2.31.0
urllib3==2.0.7
python-dotenv==1.0.0
markdown==3.5.1
markupsafe==2.1.3
openpyxl==3.1.2

# Production modular application (recommended)
python3 app_modular.py

# Alternative: Simplified application
python3 app.py

Access the application at http://localhost:5001

1. Create Multi-Framework Project: Choose from Web, Mobile (iOS/Android), API, IoT, ASVS, or Cloud Security
2. Automatic Checklist Generation: Dynamic fetching of 500+ test cases from official OWASP repositories
3. Configure Testing Targets: Add multiple URLs, API endpoints, or mobile app packages
4. Execute Comprehensive Analysis: Run framework-specific automated security tests
5. Rich Evidence Collection: Document findings with markdown support and collapsible UI
6. Professional Reporting: Export detailed reports in CSV, XLSX, or Markdown formats
7. Advanced Project Management: Track progress, manage evidence, and collaborate with team members

• Web Applications: Choose WSTG for traditional web application testing
• Mobile Apps: Select MASTG for iOS/Android application security assessment
• APIs: Use API Security for REST, GraphQL, and web service testing
• IoT Devices: Select IoT Security for embedded and hardware device testing
• Enterprise Applications: Choose ASVS for comprehensive security verification
• Cloud Infrastructure: Select Cloud Security for AWS, Azure, GCP assessment

# Test Evidence Example
## SQL Injection Test - Login Form

**Payload Used**: `' OR '1'='1' --`
**Response**: Application returned database error revealing MySQL version

### Impact
- **Severity**: High
- **CVSS Score**: 8.1
- **Recommendation**: Implement parameterized queries

# Export all project data
project.export_to_markdown()  # Professional report format
project.export_to_xlsx()      # Spreadsheet for analysis
project.export_to_csv()       # Data interchange format

AutoWASPy provides the most comprehensive OWASP framework integration available:

• 109+ Test Cases: Complete coverage of all WSTG categories
• Dynamic Fetching: Real-time updates from OWASP GitHub repository
• Category Organization: Structured by OWASP testing methodology
• Evidence Templates: Pre-formatted documentation for each test case

• 92+ Individual Tests: Granular test cases for comprehensive mobile security
• Platform Coverage: iOS and Android specific security assessments
• Modern Architecture: Support for latest mobile security challenges
• Rich Documentation: Full markdown descriptions with testing guidance

• 10 Critical Risks: Complete API security vulnerability coverage
• REST & GraphQL: Support for modern API architectures
• Authentication Testing: OAuth, JWT, and API key security validation
• Rate Limiting: API abuse and DoS protection verification

• Device Security: Hardware and firmware vulnerability assessment
• Communication Protocols: Wireless, Bluetooth, and network testing
• Data Privacy: IoT-specific data protection and privacy testing
• Update Mechanisms: Firmware update security and verification

• 300+ Requirements: Multi-level security verification standards
• L1, L2, L3 Coverage: Graduated security requirement levels
• Architecture Verification: Design and implementation security assessment
• Compliance Mapping: Industry standard and regulation alignment

• CIS Benchmarks: Industry-standard cloud security configuration
• Multi-Cloud Support: AWS, Azure, Google Cloud Platform coverage
• Infrastructure Security: Container, serverless, and microservice testing
• Compliance Frameworks: SOC2, ISO27001, and PCI-DSS alignment

# Application Configuration
export PORT=5001                    # Custom port
export SECRET_KEY=your-secret-key    # Flask secret key
export DATABASE_URL=sqlite:///autowaspy.db  # Database connection

# OWASP Data Sources
export GITHUB_API_TOKEN=ghp_xxx      # Optional: Higher rate limits
export CACHE_TIMEOUT=3600            # OWASP data cache duration

# Security Settings
export SSL_VERIFY=true               # SSL certificate verification
export DEBUG_MODE=false              # Production security

AutoWASPy uses a modular blueprint architecture for scalability:

app/
├── __init__.py           # Application factory
├── models/              # Database models
├── routes/              # Blueprint routes
│   ├── main.py         # Main navigation
│   ├── projects.py     # Project management
│   ├── testing.py      # Automated testing
│   ├── exports.py      # Report generation
│   └── admin.py        # Administrative functions
├── services/           # OWASP framework services
│   ├── owasp_service.py      # WSTG/MASTG integration
│   ├── api_security_service.py  # API security testing
│   ├── iot_security_service.py  # IoT security assessment
│   ├── asvs_service.py          # ASVS verification
│   └── cloud_security_service.py # Cloud security (CIS)
└── utils/              # Utility functions

• Syntax Highlighting: Code blocks with language detection
• Table Support: Professional tabular data presentation
• Security Filtering: XSS prevention with safe HTML rendering
• Collapsible Sections: Organized content with expandable details

• CSV Format: Structured data for analysis and reporting
• XLSX Format: Rich formatting with charts and conditional formatting
• Markdown Format: Publication-ready technical documentation
• Custom Templates: Branded report generation for client delivery

📊 Automated Test Results for https://example.com:
✅ 12 Tests Passed
❌ 6 Tests Failed  
ℹ️ 2 Informational
💥 0 Errors

Key Findings:
- Missing HSTS header
- Insecure cookie configuration
- Server version disclosure
- No admin panels discovered
- SSL/TLS properly configured

• Read-Only Testing: No data modification during automated tests
• Rate Limiting: Respectful testing to avoid service disruption
• SSL Verification: Proper certificate validation (with warnings for self-signed)
• Error Handling: Graceful failure handling for robust operation

• Request/Response Logging: Complete HTTP transaction details
• Categorized Results: Pass/Fail/Informational/Error classification
• Detailed Analysis: Comprehensive explanations and recommendations
• Export Ready: Evidence formatted for professional reports

We welcome contributions! Please see our contributing guidelines:

1. Fork the repository
2. Create a feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -m 'Add amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

# Install development dependencies
pip install -r requirements-dev.txt

# Run tests
python3 -m pytest tests/

# Run linting
flake8 app.py

This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.

• OWASP WSTG - Web Security Testing Guide
• OWASP MSTG - Mobile Security Testing Guide
• OWASP Top 10 - Most Critical Web Application Security Risks

• 📧 Email: [Your Contact Email]
• 🐛 Issues: GitHub Issues
• 📖 Wiki: Project Wiki

• API Security Testing
• Docker Containerization
• Multi-user Authentication
• PDF Report Generation
• CI/CD Integration

• v2.0 - 20 Automated Security Tests, Enhanced OWASP Integration
• v1.5 - OWASP MSTG Support, Evidence Management
• v1.0 - Initial Release, Basic WSTG Integration

Made with ❤️ for the cybersecurity community

AutoWASPy - Empowering penetration testers with automated security analysis and OWASP methodology integration.

• WSTG (Web Security Testing Guide): Complete checklist for web application security testing
• MSTG (Mobile Security Testing Guide): Comprehensive mobile application security testing for iOS and Android
• Categorized test items with detailed descriptions
• Evidence collection for each test case

• HTTP Security Headers: Automatically test for HSTS, security headers, and cookie attributes
• SSL/TLS Configuration: Validate encryption and certificate settings
• Request/Response Analysis: Capture and analyze HTTP traffic
• Evidence Auto-Population: Automated test results populate evidence fields

• Rich text evidence collection
• Request/response capture and highlighting
• Risk level assignment (Low, Medium, High, Critical)
• Test status tracking (Pass, Fail, Informational)
• Screenshot and artifact storage

• Python 3.8+
• pip package manager

1. Clone or download the project

   cd AutoWASPy

2. Install dependencies

   pip install -r requirements.txt

3. Run the application

   python app.py

4. Access the application Open your browser and navigate to http://localhost:5000

1. Click "New Project" from the dashboard
2. Enter project details:
   • Project Name: Descriptive name for your test
   • Client Name: Organization being tested
   • Testing Type:
     • Web Application (OWASP WSTG)
     • Mobile iOS (OWASP MSTG)
     • Mobile Android (OWASP MSTG)
3. For web applications, add target URLs for automated testing
4. Click "Create Project"

Each project includes relevant OWASP test cases:

• View by Category: Tests are organized by OWASP categories
• Evidence Collection: Add detailed evidence for each test
• Status Tracking: Mark tests as Pass/Fail/Informational
• Risk Assessment: Assign risk levels to findings
• Progress Tracking: Visual progress indicators

For web application projects:

1. Configure target URLs during project creation
2. Click "Run Auto Tests" from the project page
3. Automated tests include:
   • HSTS header validation
   • Cookie security attributes
   • Security header analysis
   • SSL/TLS configuration checks

Results are automatically populated into relevant OWASP test cases.

Keep your test cases current with the latest OWASP guidelines:

1. Access Refresh Function

   • Click "Refresh OWASP" in the main navigation
   • View current cache status and data sources

2. Refresh Process

   • Fetches latest WSTG tests from official OWASP GitHub repository
   • Retrieves current MSTG requirements from official sources
   • Automatically adds new test cases to existing projects
   • Preserves existing evidence and test results

3. Smart Caching

   • 24-hour cache prevents excessive API calls
   • Shows data source (GitHub vs Fallback)
   • Displays last update timestamp
   • Fallback data ensures continuity when GitHub is unavailable

• Flask: Web framework
• SQLAlchemy: Database ORM
• SQLite: Local database storage
• Requests: HTTP client for automated testing

• Tailwind CSS: Modern styling framework
• Responsive Design: Mobile-friendly interface
• JavaScript: Interactive features and auto-save

• Projects: Client and project information
• TestItems: OWASP test cases with evidence
• AutoTestResults: Automated testing results

• Information Gathering: Fingerprinting, technology detection, sensitive file discovery
• Configuration Testing: Server configuration, SSL/TLS validation, security headers
• Authentication Testing: Session management, cookie security, authentication bypass
• Input Validation: Injection testing, encoding validation, file upload security

• Platform Analysis: iOS/Android specific security controls
• Data Storage: Keychain, SharedPreferences, database security
• Communication: Network security, certificate pinning, traffic analysis
• Code Protection: Binary analysis, anti-tampering, reverse engineering protection

• Authentication: OAuth, JWT, API key validation and security
• Authorization: RBAC, resource access control, privilege escalation
• Input Validation: Parameter tampering, injection attacks, schema validation
• Rate Limiting: DoS protection, abuse prevention, throttling mechanisms

• Architecture Review: Design pattern security, threat modeling validation
• Access Control: Authentication strength, session management, authorization
• Input Validation: Comprehensive injection testing, encoding verification
• Cryptography: Algorithm strength, key management, random number generation

• Framework-Specific: Tests tailored to each OWASP methodology
• Risk-Based: Priority testing based on CVSS scores and business impact
• Dependency Mapping: Automatic test sequencing and prerequisite handling
• Parallel Execution: Concurrent testing for improved performance

• Request/Response Logging: Complete HTTP transaction capture
• Screenshot Integration: Visual evidence for web application testing
• Traffic Analysis: Network communication security assessment
• Vulnerability Correlation: Cross-reference findings across test frameworks

• 01-INFO: Information Gathering and Reconnaissance
• 02-CONF: Configuration and Deployment Management Testing
• 03-IDEN: Identity Management Testing
• 04-ATHN: Authentication Testing
• 05-ATHZ: Authorization Testing
• 06-SESS: Session Management Testing
• 07-INPV: Input Validation Testing
• 08-ERRH: Testing for Error Handling
• 09-CRYP: Testing for Weak Cryptography
• 10-BUSLOGIC: Business Logic Testing
• 11-CLNT: Client-side Testing

• Architecture & Design: Security architecture and threat modeling
• Data Storage & Privacy: Secure data handling and privacy protection
• Cryptography: Encryption implementation and key management
• Authentication & Session: Identity verification and session security
• Network Communication: Secure communication protocols
• Platform Interaction: OS-specific security controls
• Code Quality: Secure coding practices and build security
• Resilience: Anti-tampering and reverse engineering protection

• API1: Broken Object Level Authorization
• API2: Broken Authentication
• API3: Broken Object Property Level Authorization
• API4: Unrestricted Resource Consumption
• API5: Broken Function Level Authorization
• API6: Unrestricted Access to Sensitive Business Flows
• API7: Server Side Request Forgery
• API8: Security Misconfiguration
• API9: Improper Inventory Management
• API10: Unsafe Consumption of APIs

• Device Security: Hardware and firmware security assessment
• Communication: Wireless protocols and network security
• Data Protection: Privacy and data handling verification
• Update Mechanisms: Secure update and patch management
• Physical Security: Tamper resistance and physical access controls

• V1: Architecture, Design and Threat Modeling Requirements
• V2: Authentication Verification Requirements
• V3: Session Management Verification Requirements
• V4: Access Control Verification Requirements
• V5: Validation, Sanitization and Encoding Requirements
• V6: Stored Cryptography Verification Requirements
• V7: Error Handling and Logging Requirements
• V8: Data Protection Verification Requirements
• V9: Communication Verification Requirements
• V10: Malicious Code Verification Requirements
• V11: Business Logic Verification Requirements
• V12: File and Resources Verification Requirements
• V13: API and Web Service Verification Requirements
• V14: Configuration Verification Requirements

• CIS Benchmarks: Industry-standard configuration baselines
• AWS Security: EC2, S3, IAM, and service-specific controls
• Azure Security: Resource management, identity, and compliance
• GCP Security: Compute, storage, and network security controls

AutoWASPy/
├── app_modular.py              # Main modular application entry point
├── app.py                      # Simplified application (development)
├── requirements.txt            # Python dependencies with security packages
├── instance/
│   └── autowaspy.db           # SQLite database with full schema
├── app/                       # Modular application package
│   ├── __init__.py           # Application factory with blueprint registration
│   ├── models/               # Database models and relationships
│   │   └── __init__.py       # Project, TestItem, AutoTestResult models
│   ├── routes/               # Blueprint route handlers
│   │   ├── main.py          # Main navigation and dashboard
│   │   ├── projects.py      # Project management and CRUD operations
│   │   ├── testing.py       # Automated testing execution
│   │   ├── exports.py       # Report generation and export
│   │   └── admin.py         # Administrative and maintenance functions
│   ├── services/             # OWASP framework integration services
│   │   ├── owasp_service.py        # WSTG/MASTG core services
│   │   ├── api_security_service.py # API Security Top 10 testing
│   │   ├── iot_security_service.py # IoT Security Testing Guide
│   │   ├── asvs_service.py         # Application Security Verification
│   │   └── cloud_security_service.py # Cloud Security (CIS Benchmarks)
│   └── utils/                # Utility functions and helpers
│       └── datetime_utils.py # Timezone-aware datetime handling
├── templates/                # Jinja2 templates with Tailwind CSS
│   ├── base.html            # Base template with navigation
│   ├── index.html           # Project dashboard with status overview
│   ├── new_project.html     # Multi-framework project creation
│   ├── project_detail.html  # Test case management with markdown support
│   ├── autotest_results.html # Automated testing results display
│   └── refresh_owasp.html   # OWASP data refresh interface
├── .github/
│   └── copilot-instructions.md # Development guidelines and standards
└── README.md                # Comprehensive documentation

1. Create Service Module: Implement framework-specific service in app/services/
2. Define Test Structure: Follow existing pattern for test case organization
3. Implement Fetching Logic: Add GitHub API integration with fallback data
4. Update Project Routes: Extend project creation to support new framework
5. Add Template Support: Update UI to display framework-specific content

Example: Adding a new framework service

# app/services/new_framework_service.py
class NewFrameworkService:
    @staticmethod
    def fetch_framework_data():
        """Fetch framework data from official OWASP sources"""
        try:
            return NewFrameworkService._fetch_from_github()
        except Exception as e:
            return NewFrameworkService._get_fallback_data()
    
    @staticmethod
    def _fetch_from_github():
        """Implement GitHub API integration"""
        # Framework-specific fetching logic
        pass

1. Extend AutoTestService: Add new test methods following existing patterns
2. Framework Integration: Map tests to specific OWASP framework requirements
3. Evidence Collection: Implement comprehensive request/response logging
4. Result Correlation: Cross-reference findings across multiple frameworks

The application uses SQLAlchemy with automatic migration support:

# Example: Adding new fields to TestItem model
class TestItem(db.Model):
    # Existing fields...
    full_description = db.Column(db.Text)  # Markdown content
    cvss_score = db.Column(db.Float)       # CVSS v3.1 score
    cwe_id = db.Column(db.String(20))      # CWE identifier
    remediation = db.Column(db.Text)       # Remediation guidance

AutoWASPy supports multiple export formats with extensible architecture:

1. CSV Export: Structured data for spreadsheet analysis
2. XLSX Export: Rich formatting with conditional formatting and charts
3. Markdown Export: Publication-ready technical documentation
4. PDF Export: Professional client-ready reports (planned)

• Input Validation: All user inputs validated and sanitized using SQLAlchemy ORM
• XSS Protection: Template escaping enabled with safe markdown rendering
• SQL Injection Prevention: Parameterized queries and ORM protection
• CSRF Protection: Token-based request validation (configurable)
• SSL/TLS: Configurable certificate validation for testing environments

• Intelligent Caching: OWASP data cached with configurable TTL
• Asynchronous Testing: Parallel execution of automated tests
• Database Optimization: Indexed queries and relationship optimization
• Memory Management: Efficient handling of large test result sets

• SSL Verification: Configurable for testing environments
• Input Validation: All user inputs are validated and sanitized
• SQL Injection Protection: SQLAlchemy ORM prevents SQL injection
• XSS Protection: Template escaping enabled by default

This tool is designed for authorized security testing only. Users are responsible for ensuring they have proper authorization before testing any systems.

AutoWASPy is designed for CHECK Team Leaders and security professionals. Contributions welcome in:

• Additional OWASP Framework Integration: New and emerging OWASP guidelines
• Enhanced Automated Testing: Advanced vulnerability detection and assessment
• Machine Learning Integration: Intelligent test case prioritization and analysis
• Enterprise Features: Multi-user support, role-based access, and collaboration tools
• Cloud-Native Testing: Container, serverless, and microservice security assessment
• Mobile Security: Enhanced iOS/Android testing with dynamic analysis
• Reporting & Analytics: Advanced metrics, trending, and executive dashboards

• WSTG: Additional automated test implementations for manual test cases
• MASTG: Dynamic analysis integration and device testing automation
• API Security: GraphQL testing, WebSocket security, and API gateway assessment
• IoT Security: Hardware security testing and firmware analysis integration
• ASVS: Automated verification and compliance reporting
• Cloud Security: Multi-cloud provider support and infrastructure-as-code testing

• Performance Optimization: Parallel testing execution and result caching
• Security Enhancements: Advanced authentication, authorization, and audit logging
• Integration Development: CI/CD pipeline integration and external tool connectivity
• Documentation: Enhanced user guides, API documentation, and training materials

1. Fork Repository: Create feature branch from main
2. Follow Standards: Adhere to OWASP secure coding practices
3. Test Coverage: Include comprehensive unit and integration tests
4. Documentation: Update README and inline documentation
5. Security Review: Ensure all contributions maintain security posture

• AI-Powered Testing: Machine learning-based vulnerability detection
• Real-Time Collaboration: Multi-user project collaboration with real-time updates
• Advanced Reporting: Executive dashboards with risk metrics and trending
• API Integration: RESTful API for external tool integration
• Mobile Application: Native mobile app for field testing and evidence collection

• Single Sign-On: SAML/OAuth integration for enterprise authentication
• Role-Based Access: Granular permissions and project access control
• Audit Logging: Comprehensive activity tracking and compliance reporting
• Custom Branding: White-label deployment for consulting organizations

Disclaimer: This tool is intended for authorized security testing only. Always ensure you have explicit permission before testing any systems or applications.