The need to ensure comprehensive penetration testing of an application with multiple attack payloads manually is a very tedious task, which is both tasking & time-consuming. The usage of security scanning tools has been complimentary to the manual testing activity in this game of Application security testing. The need was always to have an efficient, effective & an elegant tool which is user-friendly and also ensure maximum hit rate of identifying the actual vulnerabilities with a minimal number of false positives being identified. IronWASP is one such fantabulous open source tool.
In this article let’s have a cursory insight into this open source testing tool “IronWASP” - Iron Web application Advanced Security testing Platform.
IronWASP is an environment for web application security testing designed for an optimum mix of manual and automated testing. It has a GUI interface which doesn’t require any installation and comes with Built-in Crawler, Scan Manager & Proxy and embedded with modules & plugins. IronWASP is able to detect most of the vulnerabilities with least number of "false positives" and enables the tester to define custom Security Scanner in a very short time.
Though an advanced user with Python/Ruby scripting skills will be able to ensure a comprehensive usage of this scanner, a majority of the tool's features are simple enough to be used by absolute beginners.
The prime features of this tool being:
- Simple UI interface offering ease of use, without much knowledge on in-depth application security/testing aspects.
- Powerful and effective scanning engine with automatic and manual crawling options.
- Supports recording Login sequence.
- Facilitates generation of reports in both HTML and RTF formats.
- Checks for over 25+ varied & well-known web vulnerabilities across OWASP Top 10 and SANS 25 Framework.
- Support for False Positives detection Extensible via plug-ins or modules in Python, Ruby, C# or VB.NET
- In-built with modules from researchers in the security community.
- Embedded interactive testing tools to test for:
- CSRF Protection
- Broken Authentication
- Hidden Parameters
- Privilege Escalation
You can download the tool from the given link http://ironwasp.org/download.html
Refer to the attached PDF for in-depth information on the tool, its features, installation & deployment, interactive testing methodologies etc.
Authored By - Rajesh Rao Budhnar
TCS Cyber Security Practice