OWASP The OWASP Foundation http://www.owasp.org London, 29th March 2012 IronWASP Open Source Web App Testing Framework Manish S.
Download ReportTranscript OWASP The OWASP Foundation http://www.owasp.org London, 29th March 2012 IronWASP Open Source Web App Testing Framework Manish S.
OWASP The OWASP Foundation http://www.owasp.org London, 29th March 2012 IronWASP Open Source Web App Testing Framework Manish S. Saindane [email protected] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. WHOAMI • Sr. Security Consultant @ GDS Security London (http://www.gdssecurity.com/) • Co-author security website/blog Attack & Defense Labs (http://andlabs.org) • Contributor to IronWASP and maintain the Ruby plug-in repo. • Speaker at BlackHat EU 2010, InfoSecurity India 2007 What is IronWASP? • Open Source framework for Web Application Security Testing • Designed for optimum mix of Manual and Automated Testing • Designed for Pentesters and QA folks • Allows designing customised penetration tests • Easy to use GUI and Advanced scripting capability 3 Why IronWASP? • Customise penetration tests • Reduce retest efforts • Smart enough but honest about its limitations • Provide complete freedom for the pentester to modify it as he/she sees fit 4 Key Components • Built-in Crawler + Scan Manager + Proxy • Integrated Python/Ruby Scripting Environment with IronWASP API • (Iron)Python/Ruby based plug-ins • Active plug-ins for Scanning • Passive plug-ins for vulnerability detection • Format plug-ins for defining data formats • Session plug-ins to customise the scans • JavaScript Static Analysis Engine 5 IronWASP API • HTTP Request/Response Classes • Scanner, Encoders/Decoders, Other useful methods • HTML Parsing • Complete access to IronWASP functionality • Documentation available in GUI 6 Scripting Shell • One of the most exiting component of IronWASP • Python/Ruby scripting REPL • Full access to the framework with IronWASP API • Programmatic analysis of logs, create custom fuzzers from existing requests or craft new requests, etc. 7 Plug-ins • Written in Python/Ruby using the IronWASP API • Easy to modify existing plug-ins • Can easily add new custom plug-ins • UI based API doc provided inside the tool • Syntax highlighting Script Editor with basic error checking support built-in 8 Plug-ins • IronRuby plug-ins: • https://github.com/msaindane/IronW ASP-Ruby-Plugins • IronPython plug-ins: • https://github.com/Lavakumar/IronW ASP-Python-Plugins 9 Format Plug-ins • Deal with custom data formats in the Request/Response body • Used with the Active plug-ins to fuzz almost* any data format • E.g. • WCF Binary, JSON, AMF, etc. *Any data format that can be converted to XML and back 10 Session Plug-ins • Every site has slight variations in Authentication, Session handling, CSRF protections, Logic-flow, etc. • Automated Scanners usually do not understand this but testers do ! • Testers need to feed this info into the Scanner 11 Session Plug-ins • Allows the tester to build custom logic needed to scan a particular application • Used along with the Active plug-ins • E.g. • Multi-step forms • Dynamic login functionality 12 Passive Plug-ins • Passive analysis of Web traffic and spot vulnerabilities • Ability to modify traffic based on custom logic • E.g. • Passwords sent over clear-text • Cookie and Header analysis 13 Active Plug-ins • Automated vulnerability identification • Need to be explicitly called by the user • Fine grained scanning support • E.g. • Cross-site Scripting, SQL Injection, etc. 14 JavaScript Static Analysis • Taint analysis for finding DOM based XSS • Identifies Sources and Sinks and traces them through the code • Custom Source and Sink objects can be configured 15 Q’s, Comments, Feedback • Mailing List: http://groups.google.com/group/ironwa sp • Lavakumar: @lavakumark / [email protected] • Manish: @msaindane / [email protected] • Website: http://ironwasp.org 16 Thanks to • Gotham Digital Science • The security community • Everyone who helped with testing and feedback http://ironwasp.org/about.html#credits 17 The OWASP Foundation http://www.owasp.org Q & A ?? Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. 18