18
The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. OWASP London, 29 th March 2012 IronWASP Open Source Web App Testing Framework Manish S. Saindane [email protected]

IronWASP Open Source Web App Testing Framework

  • Upload
    wind

  • View
    32

  • Download
    0

Embed Size (px)

DESCRIPTION

OWASP London, 29 th March 2012. IronWASP Open Source Web App Testing Framework. Manish S. Saindane [email protected]. WHOAMI. Sr. Security Consultant @ GDS Security London ( http://www.gdssecurity.com/ ) Co-author security website/blog Attack & Defense Labs ( http://andlabs.org ) - PowerPoint PPT Presentation

Citation preview

Page 1: IronWASP Open Source Web App Testing Framework

The OWASP Foundationhttp://www.owasp.org

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

OWASPLondon, 29th March 2012

IronWASPOpen Source Web App Testing Framework

Manish S. [email protected]

Page 2: IronWASP Open Source Web App Testing Framework

WHOAMI• Sr. Security Consultant @ GDS

Security London (http://www.gdssecurity.com/)

• Co-author security website/blog Attack & Defense Labs (http://andlabs.org)

• Contributor to IronWASP and maintain the Ruby plug-in repo.

• Speaker at BlackHat EU 2010, InfoSecurity India 2007

Page 3: IronWASP Open Source Web App Testing Framework

3

What is IronWASP?• Open Source framework for Web

Application Security Testing• Designed for optimum mix of Manual

and Automated Testing• Designed for Pentesters and QA folks• Allows designing customised

penetration tests• Easy to use GUI and Advanced

scripting capability

Page 4: IronWASP Open Source Web App Testing Framework

4

Why IronWASP?• Customise penetration tests• Reduce retest efforts• Smart enough but honest about its

limitations• Provide complete freedom for the

pentester to modify it as he/she sees fit

Page 5: IronWASP Open Source Web App Testing Framework

5

Key Components• Built-in Crawler + Scan Manager +

Proxy• Integrated Python/Ruby Scripting

Environment with IronWASP API• (Iron)Python/Ruby based plug-ins• Active plug-ins for Scanning• Passive plug-ins for vulnerability

detection• Format plug-ins for defining data

formats• Session plug-ins to customise the

scans• JavaScript Static Analysis Engine

Page 6: IronWASP Open Source Web App Testing Framework

6

IronWASP API• HTTP Request/Response Classes• Scanner, Encoders/Decoders,

Other useful methods• HTML Parsing• Complete access to IronWASP

functionality• Documentation available in GUI

Page 7: IronWASP Open Source Web App Testing Framework

7

Scripting Shell• One of the most exiting component

of IronWASP• Python/Ruby scripting REPL• Full access to the framework with

IronWASP API• Programmatic analysis of logs,

create custom fuzzers from existing requests or craft new requests, etc.

Page 8: IronWASP Open Source Web App Testing Framework

8

Plug-ins• Written in Python/Ruby using the

IronWASP API• Easy to modify existing plug-ins• Can easily add new custom plug-ins• UI based API doc provided inside the

tool• Syntax highlighting Script Editor with

basic error checking support built-in

Page 9: IronWASP Open Source Web App Testing Framework

9

Plug-ins• IronRuby plug-ins:• https://github.com/msaindane/Iro

nWASP-Ruby-Plugins

• IronPython plug-ins:• https://github.com/Lavakumar/Iro

nWASP-Python-Plugins

Page 10: IronWASP Open Source Web App Testing Framework

10

Format Plug-ins• Deal with custom data formats in

the Request/Response body• Used with the Active plug-ins to

fuzz almost* any data format

• E.g.• WCF Binary, JSON, AMF, etc.

*Any data format that can be converted to XML and back

Page 11: IronWASP Open Source Web App Testing Framework

11

Session Plug-ins• Every site has slight variations in

Authentication, Session handling, CSRF protections, Logic-flow, etc.

• Automated Scanners usually do not understand this but testers do !

• Testers need to feed this info into the Scanner

Page 12: IronWASP Open Source Web App Testing Framework

12

Session Plug-ins• Allows the tester to build custom

logic needed to scan a particular application

• Used along with the Active plug-ins

• E.g.• Multi-step forms• Dynamic login functionality

Page 13: IronWASP Open Source Web App Testing Framework

13

Passive Plug-ins• Passive analysis of Web traffic and

spot vulnerabilities• Ability to modify traffic based on

custom logic

• E.g.• Passwords sent over clear-text• Cookie and Header analysis

Page 14: IronWASP Open Source Web App Testing Framework

14

Active Plug-ins• Automated vulnerability

identification• Need to be explicitly called by the

user• Fine grained scanning support

• E.g.• Cross-site Scripting, SQL

Injection, etc.

Page 15: IronWASP Open Source Web App Testing Framework

15

JavaScript Static Analysis• Taint analysis for finding DOM

based XSS• Identifies Sources and Sinks and

traces them through the code• Custom Source and Sink objects

can be configured

Page 16: IronWASP Open Source Web App Testing Framework

Q’s, Comments, Feedback• Mailing List:

http://groups.google.com/group/ironwasp

• Lavakumar: @lavakumark / [email protected]

• Manish: @msaindane / [email protected]

• Website: http://ironwasp.org

16

Page 17: IronWASP Open Source Web App Testing Framework

Thanks to• Gotham Digital Science• The security community• Everyone who helped with testing

and feedback http://ironwasp.org/about.html#credits

17

Page 18: IronWASP Open Source Web App Testing Framework

The OWASP Foundationhttp://www.owasp.org

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

Q & A ??

18