IronWASP Open Source Web App Testing Framework - PowerPoint PPT Presentation

ironwasp open source web app testing framework n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
IronWASP Open Source Web App Testing Framework PowerPoint Presentation
Download Presentation
IronWASP Open Source Web App Testing Framework

play fullscreen
1 / 18
IronWASP Open Source Web App Testing Framework
124 Views
Download Presentation
wind
Download Presentation

IronWASP Open Source Web App Testing Framework

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. OWASP London, 29th March 2012 IronWASPOpen Source Web App Testing Framework • Manish S. Saindane • manish@andlabs.org

  2. WHOAMI • Sr. Security Consultant @ GDS Security London (http://www.gdssecurity.com/) • Co-author security website/blog Attack & Defense Labs (http://andlabs.org) • Contributor to IronWASP and maintain the Ruby plug-in repo. • Speaker at BlackHat EU 2010, InfoSecurity India 2007

  3. What is IronWASP? • Open Source framework for Web Application Security Testing • Designed for optimum mix of Manual and Automated Testing • Designed for Pentesters and QA folks • Allows designing customised penetration tests • Easy to use GUI and Advanced scripting capability

  4. Why IronWASP? • Customise penetration tests • Reduce retest efforts • Smart enough but honest about its limitations • Provide complete freedom for the pentester to modify it as he/she sees fit

  5. Key Components • Built-in Crawler + Scan Manager + Proxy • Integrated Python/Ruby Scripting Environment with IronWASP API • (Iron)Python/Ruby based plug-ins • Active plug-ins for Scanning • Passive plug-ins for vulnerability detection • Format plug-ins for defining data formats • Session plug-ins to customise the scans • JavaScript Static Analysis Engine

  6. IronWASP API • HTTP Request/Response Classes • Scanner, Encoders/Decoders, Other useful methods • HTML Parsing • Complete access to IronWASP functionality • Documentation available in GUI

  7. Scripting Shell • One of the most exiting component of IronWASP • Python/Ruby scripting REPL • Full access to the framework with IronWASP API • Programmatic analysis of logs, create custom fuzzers from existing requests or craft new requests, etc.

  8. Plug-ins • Written in Python/Ruby using the IronWASP API • Easy to modify existing plug-ins • Can easily add new custom plug-ins • UI based API doc provided inside the tool • Syntax highlighting Script Editor with basic error checking support built-in

  9. Plug-ins • IronRuby plug-ins: • https://github.com/msaindane/IronWASP-Ruby-Plugins • IronPython plug-ins: • https://github.com/Lavakumar/IronWASP-Python-Plugins

  10. Format Plug-ins • Deal with custom data formats in the Request/Response body • Used with the Active plug-ins to fuzz almost* any data format • E.g. • WCF Binary, JSON, AMF, etc. *Any data format that can be converted to XML and back

  11. Session Plug-ins • Every site has slight variations in Authentication, Session handling, CSRF protections, Logic-flow, etc. • Automated Scanners usually do not understand this but testers do ! • Testers need to feed this info into the Scanner

  12. Session Plug-ins • Allows the tester to build custom logic needed to scan a particular application • Used along with the Active plug-ins • E.g. • Multi-step forms • Dynamic login functionality

  13. Passive Plug-ins • Passive analysis of Web traffic and spot vulnerabilities • Ability to modify traffic based on custom logic • E.g. • Passwords sent over clear-text • Cookie and Header analysis

  14. Active Plug-ins • Automated vulnerability identification • Need to be explicitly called by the user • Fine grained scanning support • E.g. • Cross-site Scripting, SQL Injection, etc.

  15. JavaScript Static Analysis • Taint analysis for finding DOM based XSS • Identifies Sources and Sinks and traces them through the code • Custom Source and Sink objects can be configured

  16. Q’s, Comments, Feedback • Mailing List: http://groups.google.com/group/ironwasp • Lavakumar: @lavakumark / lava@ironwasp.org • Manish: @msaindane / manish@andlabs.org • Website: http://ironwasp.org

  17. Thanks to • Gotham Digital Science • The security community • Everyone who helped with testing and feedback http://ironwasp.org/about.html#credits

  18. Q & A ??