Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Published byMckayla Fairweather Modified over 9 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under."— Presentation transcript:

1 The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP London, 29 th March 2012 IronWASP Open Source Web App Testing Framework Manish S. Saindane manish@andlabs.org

2 WHOAMI Sr. Security Consultant @ GDS Security London (http://www.gdssecurity.com/)http://www.gdssecurity.com/ Co-author security website/blog Attack & Defense Labs (http://andlabs.org)http://andlabs.org Contributor to IronWASP and maintain the Ruby plug-in repo. Speaker at BlackHat EU 2010, InfoSecurity India 2007

3 3 What is IronWASP? Open Source framework for Web Application Security Testing Designed for optimum mix of Manual and Automated Testing Designed for Pentesters and QA folks Allows designing customised penetration tests Easy to use GUI and Advanced scripting capability

4 Why IronWASP? Customise penetration tests Reduce retest efforts Smart enough but honest about its limitations Provide complete freedom for the pentester to modify it as he/she sees fit 4

5 Key Components Built-in Crawler + Scan Manager + Proxy Integrated Python/Ruby Scripting Environment with IronWASP API (Iron)Python/Ruby based plug-ins Active plug-ins for Scanning Passive plug-ins for vulnerability detection Format plug-ins for defining data formats Session plug-ins to customise the scans JavaScript Static Analysis Engine 5

6 IronWASP API HTTP Request/Response Classes Scanner, Encoders/Decoders, Other useful methods HTML Parsing Complete access to IronWASP functionality Documentation available in GUI 6

7 Scripting Shell One of the most exiting component of IronWASP Python/Ruby scripting REPL Full access to the framework with IronWASP API Programmatic analysis of logs, create custom fuzzers from existing requests or craft new requests, etc. 7

8 Plug-ins Written in Python/Ruby using the IronWASP API Easy to modify existing plug-ins Can easily add new custom plug-ins UI based API doc provided inside the tool Syntax highlighting Script Editor with basic error checking support built-in 8

9 Plug-ins IronRuby plug-ins: https://github.com/msaindane/IronW ASP-Ruby-Plugins https://github.com/msaindane/IronW ASP-Ruby-Plugins IronPython plug-ins: https://github.com/Lavakumar/IronW ASP-Python-Plugins https://github.com/Lavakumar/IronW ASP-Python-Plugins 9

10 Format Plug-ins Deal with custom data formats in the Request/Response body Used with the Active plug-ins to fuzz almost* any data format E.g. WCF Binary, JSON, AMF, etc. 10 *Any data format that can be converted to XML and back

11 Session Plug-ins Every site has slight variations in Authentication, Session handling, CSRF protections, Logic-flow, etc. Automated Scanners usually do not understand this but testers do ! Testers need to feed this info into the Scanner 11

12 Session Plug-ins Allows the tester to build custom logic needed to scan a particular application Used along with the Active plug-ins E.g. Multi-step forms Dynamic login functionality 12

13 Passive Plug-ins Passive analysis of Web traffic and spot vulnerabilities Ability to modify traffic based on custom logic E.g. Passwords sent over clear-text Cookie and Header analysis 13

14 Active Plug-ins Automated vulnerability identification Need to be explicitly called by the user Fine grained scanning support E.g. Cross-site Scripting, SQL Injection, etc. 14

15 JavaScript Static Analysis Taint analysis for finding DOM based XSS Identifies Sources and Sinks and traces them through the code Custom Source and Sink objects can be configured 15

16 Q’s, Comments, Feedback Mailing List: http://groups.google.com/group/ironwa sp http://groups.google.com/group/ironwa sp Lavakumar: @lavakumark / lava@ironwasp.org lava@ironwasp.org Manish: @msaindane / manish@andlabs.org manish@andlabs.org Website: http://ironwasp.orghttp://ironwasp.org 16

17 Thanks to Gotham Digital Science The security community Everyone who helped with testing and feedback http://ironwasp.org/about.html#credits http://ironwasp.org/about.html#credits 17

18 The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Q & A ?? 18

Download ppt "The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under."

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Teachable Static Analysis Workbench by Igor Konnov, Dmitry Kozlov.

Teachable Static Analysis Workbench by Igor Konnov, Dmitry Kozlov.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
OWASP Xenotix XSS Exploit Framework

OWASP Xenotix XSS Exploit Framework
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Penetration testing – W3AF Tool

Penetration testing – W3AF Tool
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.

Similar presentations

Ads by Google