Application security

IronWASP Part 1

September 19, 2012 by Hari Krishnan

IronWASP stands for Iron Web application Advanced Security testing Platform, and was developed by Mr.Lavakumar Kuppan. It is an open source system and is mainly used for testing web application vulnerabilities. This tool is very simple to use and can be used by beginners. And the advantage of this tool is that if the user has a very good knowledge in Python or Ruby, he/she can do a lot more with this tool, like creating their own custom scanners.

Another major advantage of this tool is that it uses various external libraries, making it more powerful. The external libraries include:

  • FiddleCore
  • IronPython
  • IronRuby
  • Jint
  • System.Data.SQLite
  • Html Agility Pack
  • ICSharpCode.TextEditor
  • Json.NET
  • Diffplex
  • jsbeautifylib
  • Diff.cs

You can download this software from the given link

Getting Started:

Once you have downloaded the setup and extracted the files to your desired location, double-click on the IronWASP application found inside the IronWASP folder. IronWASP also comes with a demo application where you can test it. The demo application can be found inside the IronWASP folder with the name “DemoApp“.

To use this application, double-click the demo app where you can set the port number. Once done, click the “Start Server” button, and you can browse the demo application on your browser by typing localhost:port number in the URL address bar.

Demo Application

Now, you can select from the different scan modes in the tool to perform the scan. The two scan modes are default and user-configured settings. It is said that the IronWASP tool has an effective crawler so that you can find more bugs.

Press the start scan button and the tool will start crawling the website and will also start finding vulnerabilities in the targeted site. Once the vulnerabilities get detected, they are classified as High, Medium, or Low, depending on the impact.

For example, below is the image where directory listing has been detected in the Medium level Vulnerability and its further details in the result tab.

You can verify the bug detected manually, for example below is the image of the directory listing.

Another feature in this tool is that you can activate or deactivate the plug-ins used in the scanner by going to the plugins tab found inside the tools and right-clicking on the desired plugin to either activate or deactivate it.

You can further scan the branch URLs by clicking the required URL and selecting the scan branch option.

Another feature of this tool is that it has a scripting shell for both Python and Ruby giving full access to the IronWASP framework, and this can be used by the pen testers to write their own fuzzers, create custom crafted request, analysis of logs, etc.

There are two types of plug-ins in this tool. One is passive and the other one is called active plug-ins.

Passive plug-ins are normally used for analyzing the traffic, modify, etc., and active plug-ins are used while performing an automated scan in order to find the vulnerabilities like SQL injection and cross-site scripting. Also this tool has its own session plug-ins which can be used depending on the type of website we are scanning, since there are always variations in the sites and these variations are not captured by automated scanners, pen testers can feed their inputs manually which will be used along with other active plug-ins.

Javascript Static Analysis:

IronWASP has another option called Javascript static analysis which can be used to find DOM-Based XSS. It identifies the sources and sinks and traces them through the code. This tool also has other tools like encoder/decoder, html parser, etc which will be seen in the next chapter.

Posted: September 19, 2012
Hari Krishnan
View Profile

Hari Krishnan works as a security and bug researcher for a private firm, as well as InfoSec Institute. His interests largely encompass web application security issues. Hari is also an organizer for Defcon Chennai (