Upload
wind
View
32
Download
0
Embed Size (px)
DESCRIPTION
OWASP London, 29 th March 2012. IronWASP Open Source Web App Testing Framework. Manish S. Saindane [email protected]. WHOAMI. Sr. Security Consultant @ GDS Security London ( http://www.gdssecurity.com/ ) Co-author security website/blog Attack & Defense Labs ( http://andlabs.org ) - PowerPoint PPT Presentation
Citation preview
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
OWASPLondon, 29th March 2012
IronWASPOpen Source Web App Testing Framework
Manish S. [email protected]
WHOAMI• Sr. Security Consultant @ GDS
Security London (http://www.gdssecurity.com/)
• Co-author security website/blog Attack & Defense Labs (http://andlabs.org)
• Contributor to IronWASP and maintain the Ruby plug-in repo.
• Speaker at BlackHat EU 2010, InfoSecurity India 2007
3
What is IronWASP?• Open Source framework for Web
Application Security Testing• Designed for optimum mix of Manual
and Automated Testing• Designed for Pentesters and QA folks• Allows designing customised
penetration tests• Easy to use GUI and Advanced
scripting capability
4
Why IronWASP?• Customise penetration tests• Reduce retest efforts• Smart enough but honest about its
limitations• Provide complete freedom for the
pentester to modify it as he/she sees fit
5
Key Components• Built-in Crawler + Scan Manager +
Proxy• Integrated Python/Ruby Scripting
Environment with IronWASP API• (Iron)Python/Ruby based plug-ins• Active plug-ins for Scanning• Passive plug-ins for vulnerability
detection• Format plug-ins for defining data
formats• Session plug-ins to customise the
scans• JavaScript Static Analysis Engine
6
IronWASP API• HTTP Request/Response Classes• Scanner, Encoders/Decoders,
Other useful methods• HTML Parsing• Complete access to IronWASP
functionality• Documentation available in GUI
7
Scripting Shell• One of the most exiting component
of IronWASP• Python/Ruby scripting REPL• Full access to the framework with
IronWASP API• Programmatic analysis of logs,
create custom fuzzers from existing requests or craft new requests, etc.
8
Plug-ins• Written in Python/Ruby using the
IronWASP API• Easy to modify existing plug-ins• Can easily add new custom plug-ins• UI based API doc provided inside the
tool• Syntax highlighting Script Editor with
basic error checking support built-in
9
Plug-ins• IronRuby plug-ins:• https://github.com/msaindane/Iro
nWASP-Ruby-Plugins
• IronPython plug-ins:• https://github.com/Lavakumar/Iro
nWASP-Python-Plugins
10
Format Plug-ins• Deal with custom data formats in
the Request/Response body• Used with the Active plug-ins to
fuzz almost* any data format
• E.g.• WCF Binary, JSON, AMF, etc.
*Any data format that can be converted to XML and back
11
Session Plug-ins• Every site has slight variations in
Authentication, Session handling, CSRF protections, Logic-flow, etc.
• Automated Scanners usually do not understand this but testers do !
• Testers need to feed this info into the Scanner
12
Session Plug-ins• Allows the tester to build custom
logic needed to scan a particular application
• Used along with the Active plug-ins
• E.g.• Multi-step forms• Dynamic login functionality
13
Passive Plug-ins• Passive analysis of Web traffic and
spot vulnerabilities• Ability to modify traffic based on
custom logic
• E.g.• Passwords sent over clear-text• Cookie and Header analysis
14
Active Plug-ins• Automated vulnerability
identification• Need to be explicitly called by the
user• Fine grained scanning support
• E.g.• Cross-site Scripting, SQL
Injection, etc.
15
JavaScript Static Analysis• Taint analysis for finding DOM
based XSS• Identifies Sources and Sinks and
traces them through the code• Custom Source and Sink objects
can be configured
Q’s, Comments, Feedback• Mailing List:
http://groups.google.com/group/ironwasp
• Lavakumar: @lavakumark / [email protected]
• Manish: @msaindane / [email protected]
• Website: http://ironwasp.org
16
Thanks to• Gotham Digital Science• The security community• Everyone who helped with testing
and feedback http://ironwasp.org/about.html#credits
17
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
Q & A ??
18