IronWASP Part 1
IronWASP stands for Iron Web application Advanced Security testing Platform, and was developed by Mr.Lavakumar Kuppan. It is an open source system and is mainly used for testing web application vulnerabilities. This tool is very simple to use and can be used by beginners. And the advantage of this tool is that if the user has a very good knowledge in Python or Ruby, he/she can do a lot more with this tool, like creating their own custom scanners.
Another major advantage of this tool is that it uses various external libraries, making it more powerful. The external libraries include:
11 courses, 8+ hours of training
11 courses, 8+ hours of training
- FiddleCore
- IronPython
- IronRuby
- Jint
- System.Data.SQLite
- Html Agility Pack
- ICSharpCode.TextEditor
- Json.NET
- Diffplex
- jsbeautifylib
- Diff.cs
You can download this software from the given link http://ironwasp.org/download.html
Getting Started:
Once you have downloaded the setup and extracted the files to your desired location, double-click on the IronWASP application found inside the IronWASP folder. IronWASP also comes with a demo application where you can test it. The demo application can be found inside the IronWASP folder with the name "DemoApp".
To use this application, double-click the demo app where you can set the port number. Once done, click the "Start Server" button, and you can browse the demo application on your browser by typing localhost:port number in the URL address bar.
Demo Application
Now, you can select from the different scan modes in the tool to perform the scan. The two scan modes are default and user-configured settings. It is said that the IronWASP tool has an effective crawler so that you can find more bugs.
Press the start scan button and the tool will start crawling the website and will also start finding vulnerabilities in the targeted site. Once the vulnerabilities get detected, they are classified as High, Medium, or Low, depending on the impact.
For example, below is the image where directory listing has been detected in the Medium level Vulnerability and its further details in the result tab.
You can verify the bug detected manually, for example below is the image of the directory listing.
Another feature in this tool is that you can activate or deactivate the plug-ins used in the scanner by going to the plugins tab found inside the tools and right-clicking on the desired plugin to either activate or deactivate it.
You can further scan the branch URLs by clicking the required URL and selecting the scan branch option.
Another feature of this tool is that it has a scripting shell for both Python and Ruby giving full access to the IronWASP framework, and this can be used by the pen testers to write their own fuzzers, create custom crafted request, analysis of logs, etc.
There are two types of plug-ins in this tool. One is passive and the other one is called active plug-ins.
Passive plug-ins are normally used for analyzing the traffic, modify, etc., and active plug-ins are used while performing an automated scan in order to find the vulnerabilities like SQL injection and cross-site scripting. Also this tool has its own session plug-ins which can be used depending on the type of website we are scanning, since there are always variations in the sites and these variations are not captured by automated scanners, pen testers can feed their inputs manually which will be used along with other active plug-ins.
Javascript Static Analysis:
11 courses, 8+ hours of training
11 courses, 8+ hours of training
IronWASP has another option called Javascript static analysis which can be used to find DOM-Based XSS. It identifies the sources and sinks and traces them through the code. This tool also has other tools like encoder/decoder, html parser, etc which will be seen in the next chapter.
In this Series
- IronWASP Part 1
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security