Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Similar presentations


Presentation on theme: "The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under."— Presentation transcript:

1 The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP London, 29 th March 2012 IronWASP Open Source Web App Testing Framework Manish S. Saindane

2 WHOAMI Sr. Security GDS Security London (http://www.gdssecurity.com/)http://www.gdssecurity.com/ Co-author security website/blog Attack & Defense Labs (http://andlabs.org)http://andlabs.org Contributor to IronWASP and maintain the Ruby plug-in repo. Speaker at BlackHat EU 2010, InfoSecurity India 2007

3 3 What is IronWASP? Open Source framework for Web Application Security Testing Designed for optimum mix of Manual and Automated Testing Designed for Pentesters and QA folks Allows designing customised penetration tests Easy to use GUI and Advanced scripting capability

4 Why IronWASP? Customise penetration tests Reduce retest efforts Smart enough but honest about its limitations Provide complete freedom for the pentester to modify it as he/she sees fit 4

5 Key Components Built-in Crawler + Scan Manager + Proxy Integrated Python/Ruby Scripting Environment with IronWASP API (Iron)Python/Ruby based plug-ins Active plug-ins for Scanning Passive plug-ins for vulnerability detection Format plug-ins for defining data formats Session plug-ins to customise the scans JavaScript Static Analysis Engine 5

6 IronWASP API HTTP Request/Response Classes Scanner, Encoders/Decoders, Other useful methods HTML Parsing Complete access to IronWASP functionality Documentation available in GUI 6

7 Scripting Shell One of the most exiting component of IronWASP Python/Ruby scripting REPL Full access to the framework with IronWASP API Programmatic analysis of logs, create custom fuzzers from existing requests or craft new requests, etc. 7

8 Plug-ins Written in Python/Ruby using the IronWASP API Easy to modify existing plug-ins Can easily add new custom plug-ins UI based API doc provided inside the tool Syntax highlighting Script Editor with basic error checking support built-in 8

9 Plug-ins IronRuby plug-ins: https://github.com/msaindane/IronW ASP-Ruby-Plugins https://github.com/msaindane/IronW ASP-Ruby-Plugins IronPython plug-ins: https://github.com/Lavakumar/IronW ASP-Python-Plugins https://github.com/Lavakumar/IronW ASP-Python-Plugins 9

10 Format Plug-ins Deal with custom data formats in the Request/Response body Used with the Active plug-ins to fuzz almost* any data format E.g. WCF Binary, JSON, AMF, etc. 10 *Any data format that can be converted to XML and back

11 Session Plug-ins Every site has slight variations in Authentication, Session handling, CSRF protections, Logic-flow, etc. Automated Scanners usually do not understand this but testers do ! Testers need to feed this info into the Scanner 11

12 Session Plug-ins Allows the tester to build custom logic needed to scan a particular application Used along with the Active plug-ins E.g. Multi-step forms Dynamic login functionality 12

13 Passive Plug-ins Passive analysis of Web traffic and spot vulnerabilities Ability to modify traffic based on custom logic E.g. Passwords sent over clear-text Cookie and Header analysis 13

14 Active Plug-ins Automated vulnerability identification Need to be explicitly called by the user Fine grained scanning support E.g. Cross-site Scripting, SQL Injection, etc. 14

15 JavaScript Static Analysis Taint analysis for finding DOM based XSS Identifies Sources and Sinks and traces them through the code Custom Source and Sink objects can be configured 15

16 Q’s, Comments, Feedback Mailing List: sp sp / / Website: 16

17 Thanks to Gotham Digital Science The security community Everyone who helped with testing and feedback 17

18 The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Q & A ?? 18


Download ppt "The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under."

Similar presentations


Ads by Google