The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP London, 29 th March 2012 IronWASP Open Source Web App Testing Framework Manish S. Saindane

WHOAMI Sr. Security GDS Security London ( Co-author security website/blog Attack & Defense Labs ( Contributor to IronWASP and maintain the Ruby plug-in repo. Speaker at BlackHat EU 2010, InfoSecurity India 2007

3 What is IronWASP? Open Source framework for Web Application Security Testing Designed for optimum mix of Manual and Automated Testing Designed for Pentesters and QA folks Allows designing customised penetration tests Easy to use GUI and Advanced scripting capability

Why IronWASP? Customise penetration tests Reduce retest efforts Smart enough but honest about its limitations Provide complete freedom for the pentester to modify it as he/she sees fit 4

Key Components Built-in Crawler + Scan Manager + Proxy Integrated Python/Ruby Scripting Environment with IronWASP API (Iron)Python/Ruby based plug-ins Active plug-ins for Scanning Passive plug-ins for vulnerability detection Format plug-ins for defining data formats Session plug-ins to customise the scans JavaScript Static Analysis Engine 5

IronWASP API HTTP Request/Response Classes Scanner, Encoders/Decoders, Other useful methods HTML Parsing Complete access to IronWASP functionality Documentation available in GUI 6

Scripting Shell One of the most exiting component of IronWASP Python/Ruby scripting REPL Full access to the framework with IronWASP API Programmatic analysis of logs, create custom fuzzers from existing requests or craft new requests, etc. 7

Plug-ins Written in Python/Ruby using the IronWASP API Easy to modify existing plug-ins Can easily add new custom plug-ins UI based API doc provided inside the tool Syntax highlighting Script Editor with basic error checking support built-in 8

Plug-ins IronRuby plug-ins: ASP-Ruby-Plugins ASP-Ruby-Plugins IronPython plug-ins: ASP-Python-Plugins ASP-Python-Plugins 9

Format Plug-ins Deal with custom data formats in the Request/Response body Used with the Active plug-ins to fuzz almost* any data format E.g. WCF Binary, JSON, AMF, etc. 10 *Any data format that can be converted to XML and back

Session Plug-ins Every site has slight variations in Authentication, Session handling, CSRF protections, Logic-flow, etc. Automated Scanners usually do not understand this but testers do ! Testers need to feed this info into the Scanner 11

Session Plug-ins Allows the tester to build custom logic needed to scan a particular application Used along with the Active plug-ins E.g. Multi-step forms Dynamic login functionality 12

Passive Plug-ins Passive analysis of Web traffic and spot vulnerabilities Ability to modify traffic based on custom logic E.g. Passwords sent over clear-text Cookie and Header analysis 13

Active Plug-ins Automated vulnerability identification Need to be explicitly called by the user Fine grained scanning support E.g. Cross-site Scripting, SQL Injection, etc. 14

JavaScript Static Analysis Taint analysis for finding DOM based XSS Identifies Sources and Sinks and traces them through the code Custom Source and Sink objects can be configured 15

Q’s, Comments, Feedback Mailing List: sp sp / / Website: 16

Thanks to Gotham Digital Science The security community Everyone who helped with testing and feedback

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Q & A ?? 18