1 / 18

IronWASP Open Source Web App Testing Framework

OWASP London, 29 th March 2012. IronWASP Open Source Web App Testing Framework. Manish S. Saindane manish@andlabs.org. WHOAMI. Sr. Security Consultant @ GDS Security London ( http://www.gdssecurity.com/ ) Co-author security website/blog Attack & Defense Labs ( http://andlabs.org )

wind
Download Presentation

IronWASP Open Source Web App Testing Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP London, 29th March 2012 IronWASPOpen Source Web App Testing Framework • Manish S. Saindane • manish@andlabs.org

  2. WHOAMI • Sr. Security Consultant @ GDS Security London (http://www.gdssecurity.com/) • Co-author security website/blog Attack & Defense Labs (http://andlabs.org) • Contributor to IronWASP and maintain the Ruby plug-in repo. • Speaker at BlackHat EU 2010, InfoSecurity India 2007

  3. What is IronWASP? • Open Source framework for Web Application Security Testing • Designed for optimum mix of Manual and Automated Testing • Designed for Pentesters and QA folks • Allows designing customised penetration tests • Easy to use GUI and Advanced scripting capability

  4. Why IronWASP? • Customise penetration tests • Reduce retest efforts • Smart enough but honest about its limitations • Provide complete freedom for the pentester to modify it as he/she sees fit

  5. Key Components • Built-in Crawler + Scan Manager + Proxy • Integrated Python/Ruby Scripting Environment with IronWASP API • (Iron)Python/Ruby based plug-ins • Active plug-ins for Scanning • Passive plug-ins for vulnerability detection • Format plug-ins for defining data formats • Session plug-ins to customise the scans • JavaScript Static Analysis Engine

  6. IronWASP API • HTTP Request/Response Classes • Scanner, Encoders/Decoders, Other useful methods • HTML Parsing • Complete access to IronWASP functionality • Documentation available in GUI

  7. Scripting Shell • One of the most exiting component of IronWASP • Python/Ruby scripting REPL • Full access to the framework with IronWASP API • Programmatic analysis of logs, create custom fuzzers from existing requests or craft new requests, etc.

  8. Plug-ins • Written in Python/Ruby using the IronWASP API • Easy to modify existing plug-ins • Can easily add new custom plug-ins • UI based API doc provided inside the tool • Syntax highlighting Script Editor with basic error checking support built-in

  9. Plug-ins • IronRuby plug-ins: • https://github.com/msaindane/IronWASP-Ruby-Plugins • IronPython plug-ins: • https://github.com/Lavakumar/IronWASP-Python-Plugins

  10. Format Plug-ins • Deal with custom data formats in the Request/Response body • Used with the Active plug-ins to fuzz almost* any data format • E.g. • WCF Binary, JSON, AMF, etc. *Any data format that can be converted to XML and back

  11. Session Plug-ins • Every site has slight variations in Authentication, Session handling, CSRF protections, Logic-flow, etc. • Automated Scanners usually do not understand this but testers do ! • Testers need to feed this info into the Scanner

  12. Session Plug-ins • Allows the tester to build custom logic needed to scan a particular application • Used along with the Active plug-ins • E.g. • Multi-step forms • Dynamic login functionality

  13. Passive Plug-ins • Passive analysis of Web traffic and spot vulnerabilities • Ability to modify traffic based on custom logic • E.g. • Passwords sent over clear-text • Cookie and Header analysis

  14. Active Plug-ins • Automated vulnerability identification • Need to be explicitly called by the user • Fine grained scanning support • E.g. • Cross-site Scripting, SQL Injection, etc.

  15. JavaScript Static Analysis • Taint analysis for finding DOM based XSS • Identifies Sources and Sinks and traces them through the code • Custom Source and Sink objects can be configured

  16. Q’s, Comments, Feedback • Mailing List: http://groups.google.com/group/ironwasp • Lavakumar: @lavakumark / lava@ironwasp.org • Manish: @msaindane / manish@andlabs.org • Website: http://ironwasp.org

  17. Thanks to • Gotham Digital Science • The security community • Everyone who helped with testing and feedback http://ironwasp.org/about.html#credits

  18. Q & A ??

More Related