OWASP The OWASP Foundation http www owasp org

  • Slides: 18
Download presentation
OWASP The OWASP Foundation http: //www. owasp. org London, 29 th March 2012 Iron.

OWASP The OWASP Foundation http: //www. owasp. org London, 29 th March 2012 Iron. WASP Open Source Web App Testing Framework Manish S. Saindane manish@andlabs. org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

WHOAMI • Sr. Security Consultant @ GDS Security London (http: //www. gdssecurity. com/) •

WHOAMI • Sr. Security Consultant @ GDS Security London (http: //www. gdssecurity. com/) • Co-author security website/blog Attack & Defense Labs (http: //andlabs. org) • Contributor to Iron. WASP and maintain the Ruby plug-in repo. • Speaker at Black. Hat EU 2010, Info. Security India 2007

What is Iron. WASP? • Open Source framework for Web Application Security Testing •

What is Iron. WASP? • Open Source framework for Web Application Security Testing • Designed for optimum mix of Manual and Automated Testing • Designed for Pentesters and QA folks • Allows designing customised penetration tests • Easy to use GUI and Advanced scripting capability 3

Why Iron. WASP? • Customise penetration tests • Reduce retest efforts • Smart enough

Why Iron. WASP? • Customise penetration tests • Reduce retest efforts • Smart enough but honest about its limitations • Provide complete freedom for the pentester to modify it as he/she sees fit 4

Key Components • Built-in Crawler + Scan Manager + Proxy • Integrated Python/Ruby Scripting

Key Components • Built-in Crawler + Scan Manager + Proxy • Integrated Python/Ruby Scripting Environment with Iron. WASP API • (Iron)Python/Ruby based plug-ins • Active plug-ins for Scanning • Passive plug-ins for vulnerability detection • Format plug-ins for defining data formats • Session plug-ins to customise the scans • Java. Script Static Analysis Engine 5

Iron. WASP API • HTTP Request/Response Classes • Scanner, Encoders/Decoders, Other useful methods •

Iron. WASP API • HTTP Request/Response Classes • Scanner, Encoders/Decoders, Other useful methods • HTML Parsing • Complete access to Iron. WASP functionality • Documentation available in GUI 6

Scripting Shell • One of the most exiting component of Iron. WASP • Python/Ruby

Scripting Shell • One of the most exiting component of Iron. WASP • Python/Ruby scripting REPL • Full access to the framework with Iron. WASP API • Programmatic analysis of logs, create custom fuzzers from existing requests or craft new requests, etc. 7

Plug-ins • Written in Python/Ruby using the Iron. WASP API • Easy to modify

Plug-ins • Written in Python/Ruby using the Iron. WASP API • Easy to modify existing plug-ins • Can easily add new custom plug-ins • UI based API doc provided inside the tool • Syntax highlighting Script Editor with basic error checking support built-in 8

Plug-ins • Iron. Ruby plug-ins: • https: //github. com/msaindane/Iron. W ASP-Ruby-Plugins • Iron. Python

Plug-ins • Iron. Ruby plug-ins: • https: //github. com/msaindane/Iron. W ASP-Ruby-Plugins • Iron. Python plug-ins: • https: //github. com/Lavakumar/Iron. W ASP-Python-Plugins 9

Format Plug-ins • Deal with custom data formats in the Request/Response body • Used

Format Plug-ins • Deal with custom data formats in the Request/Response body • Used with the Active plug-ins to fuzz almost* any data format • E. g. • WCF Binary, JSON, AMF, etc. *Any data format that can be converted to XML and back 10

Session Plug-ins • Every site has slight variations in Authentication, Session handling, CSRF protections,

Session Plug-ins • Every site has slight variations in Authentication, Session handling, CSRF protections, Logic-flow, etc. • Automated Scanners usually do not understand this but testers do ! • Testers need to feed this info into the Scanner 11

Session Plug-ins • Allows the tester to build custom logic needed to scan a

Session Plug-ins • Allows the tester to build custom logic needed to scan a particular application • Used along with the Active plug-ins • E. g. • Multi-step forms • Dynamic login functionality 12

Passive Plug-ins • Passive analysis of Web traffic and spot vulnerabilities • Ability to

Passive Plug-ins • Passive analysis of Web traffic and spot vulnerabilities • Ability to modify traffic based on custom logic • E. g. • Passwords sent over clear-text • Cookie and Header analysis 13

Active Plug-ins • Automated vulnerability identification • Need to be explicitly called by the

Active Plug-ins • Automated vulnerability identification • Need to be explicitly called by the user • Fine grained scanning support • E. g. • Cross-site Scripting, SQL Injection, etc. 14

Java. Script Static Analysis • Taint analysis for finding DOM based XSS • Identifies

Java. Script Static Analysis • Taint analysis for finding DOM based XSS • Identifies Sources and Sinks and traces them through the code • Custom Source and Sink objects can be configured 15

Q’s, Comments, Feedback • Mailing List: http: //groups. google. com/group/ironwa sp • Lavakumar: @lavakumark

Q’s, Comments, Feedback • Mailing List: http: //groups. google. com/group/ironwa sp • Lavakumar: @lavakumark / lava@ironwasp. org • Manish: @msaindane / manish@andlabs. org • Website: http: //ironwasp. org 16

Thanks to • Gotham Digital Science • The security community • Everyone who helped

Thanks to • Gotham Digital Science • The security community • Everyone who helped with testing and feedback http: //ironwasp. org/about. html#credits 17

The OWASP Foundation http: //www. owasp. org Q & A ? ? Copyright ©

The OWASP Foundation http: //www. owasp. org Q & A ? ? Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. 18