Just took a look at the new OWASP WTE (Web Testing Environment) Live CD beta. To explain what this is, let me first compare it to the well-known Backtrack Live CD. Backtrack has long been the de-facto standard among live CD-Based security tool collections. Basically, it’s a CD you boot your system to rather than the hard drive, loading a Linux-based environment with the security tools installed. The tools range in their functionality from simple reconnaissance tools to port scanners to actual exploits. Backtrack is an invaluable to to any penetration tester.
The OWASP WTE Live CD is similar but instead focuses only on web application security. The tools are designed to find vulnerabilities on web applications which could be exploited through the use of such attacks as XSS or SQL Injection, among many others. Web application security is a huge concern lately since a large number of the current attacks are levied against web applications themselves and the clients that use them. Direct attacks on firewalls or network infrastructures are comparatively in decline these days since the technology protecting networking on lower levels of the OSI model have greatly improved.
A New Distro
The Live CD has been around for some time and was formerly known as the OWASP Live CD, but the name has changed and so has the underlying operating system. The older versions were built on Slax, which has been a long-time favorite of live CD developers over the years because of its tiny profile. However, Ubuntu was chosen for probably many reasons, one of which is that time spent trying to get various hardware drivers to work could instead be spent adding new security tools. Backtrack likewise switched to Ubuntu for version 4.
What you now get is a nice, crisp desktop with everything working out of the box. You’d almost forget that it was a security distribution and just start playing with it as you would any other Linux distribution. The authors also provide VMWare and VirtualBox images. The advantages of using these over the live CDs are that 1)they are persistent, meaning changes you make, stuff you install, etc will stay between reboots and 2) that you can work with the OWASP WTE while working with your host operating system as well. Heck, fire up Backtrack in a second virtual machine and really have some fun.
The Tools
If you’re not familiar with previous revisions of the OWASP Live CD and you compare it to, say, Backtrack, you might ask “why are there so few tools?” On the current Beta release we see 25 tools listed. (Can you really count Firefox?) While the authors of the CD could answer best as to the seemingly short list of tools, I have a some ideas.
First, remember that this Live CD is focused on Web Application security. Backtrack attempts to include everything dealing with every aspect of information security, from forensics to port scanning. It’s a fairly complete collection, but as a pen tester you really only need a small subset of these tools, and if your focus is on Web Application security, your tool list becomes even shorter. You learn to sharpen your skills with a few really good tools and ignore the rest if they provide no other functionality. Backtrack has a tendency to be rather repetitive with its tools. How many port scanners do you really need?
Second, remember that web application security is only now coming of age. Knowing now that this is where the risks are, we are only now, in the last few years, starting to see the emergence of good testing tools. Perhaps this is a call to developers to provide us with even more such tools.
However, it should be pointed out that more tools are on the way. This is a very fluid project. Now, thanks to the use of Ubuntu, more work can be done to produce such packages. Also, keep in mind that with the virtualized versions of the OWASP WTE (or versions installed on a USB drive or directly on the hard drive) you have the freedom to add your own tools.
The tools included on the Live CD represent the best of the available open sources security tools for web application testing. Reconnaissance tools, fuzzers, proxies, and even automated vulnerability testers such as W3AF are standard gear. Also included are some of the basic pen testing tools such as nmap, wireshark, and netcat.
Recommendations
Some of these may already be in the works, and others may be nit-picking, but that’s my nature.
-
It’s a security distribution. We need a dark theme with a flame job and some voice as a startup sound. Maybe James Earl Jones saying “You’ve been Pwned!” Seriously though, I loved the wasp from the previous versions of the Live CD. It really stood out. The current look, hwoever is very is very clean and nice. No major complaints.
-
Firefox is installed, but what’s missing are all the cool plug-ins related to application security like Tamper Data. Even the web developer plug-in would be useful to have. (Ok, scratch this one. Included on the Live CD is a launcher for “Firefox OWASP Style” with all the plugins. We all have our idiot moments. Hey, I just realized, with the small readership I have, I could have deleted this point and nobody would have been the wiser. Oh well…)
So the only real recommendation I have at this point is James Earl Jones. That’s what you get with a preliminary look. 
Conclusions
The OWASP WTE Live CD is a work in progress, but I am very impressed thus far. I am happy to see it move to an Ubuntu platform as it will open up a whole new realm of tools and packaging possibilities. I look forward to its future development and the new tools being added.
OWASP WTE Live CD Website: http://appseclive.org
Backtrack: http://www.backtrack-linux.org/
One last note: The Appseclive.org website has a lot of good information and articles pertaining to application security. Take some time to peruse their material.