IronWASP stands for Iron Web application Advanced Security testing Platform, and was developed by Mr.Lavakumar Kuppan. It is an open source system and is mainly used for testing web application vulnerabilities. This tool is very simple to use and can be used by beginners. And the advantage of this tool is that if the user has a very good knowledge in Python or Ruby, he/she can do a lot more with this tool, like creating their own custom scanners.

Another major advantage of this tool is that it uses various external libraries, making it more powerful. The external libraries include:

  • FiddleCore
  • IronPython
  • IronRuby
  • Jint
  • System.Data.SQLite
  • Html Agility Pack
  • ICSharpCode.TextEditor
  • Json.NET
  • Diffplex
  • jsbeautifylib
  • Diff.cs

You can download this software from the given link http://ironwasp.org/download.html


Getting Started:

Once you have downloaded the setup and extracted the files to your desired location, double-click on the IronWASP application found inside the IronWASP folder. IronWASP also comes with a demo application where you can test it. The demo application can be found inside the IronWASP folder with the name “DemoApp“.

To use this application, double-click the demo app where you can set the port number. Once done, click the “Start Server” button, and you can browse the demo application on your browser by typing localhost:port number in the URL address bar.



Demo Application

Now, you can select from the different scan modes in the tool to perform the scan. The two scan modes are default and user-configured settings. It is said that the IronWASP tool has an effective crawler so that you can find more bugs.


Press the start scan button and the tool will start crawling the website and will also start finding vulnerabilities in the targeted site. Once the vulnerabilities get detected, they are classified as High, Medium, or Low, depending on the impact.

For example, below is the image where directory listing has been detected in the Medium level Vulnerability and its further details in the result tab.


You can verify the bug detected manually, for example below is the image of the directory listing.


Another feature in this tool is that you can activate or deactivate the plug-ins used in the scanner by going to the plugins tab found inside the tools and right-clicking on the desired plugin to either activate or deactivate it.

Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.

The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

  • Get CWAPT Certified
  • Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend real-world web apps: not just silly sample code
  • Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
  • Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance


You can further scan the branch URLs by clicking the required URL and selecting the scan branch option.


Another feature of this tool is that it has a scripting shell for both Python and Ruby giving full access to the IronWASP framework, and this can be used by the pen testers to write their own fuzzers, create custom crafted request, analysis of logs, etc.

There are two types of plug-ins in this tool. One is passive and the other one is called active plug-ins.

Passive plug-ins are normally used for analyzing the traffic, modify, etc., and active plug-ins are used while performing an automated scan in order to find the vulnerabilities like SQL injection and cross-site scripting. Also this tool has its own session plug-ins which can be used depending on the type of website we are scanning, since there are always variations in the sites and these variations are not captured by automated scanners, pen testers can feed their inputs manually which will be used along with other active plug-ins.

Javascript Static Analysis:

IronWASP has another option called Javascript static analysis which can be used to find DOM-Based XSS. It identifies the sources and sinks and traces them through the code. This tool also has other tools like encoder/decoder, html parser, etc which will be seen in the next chapter.