IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.

Learn more about it here | Download from here

Passive Plug-ins

  • Analyzes all traffic going through the tool
  • Can also modify the traffic
  • Identifies vulnerabilities passively

Eg: Passwords sent over clear-text, Http-Only /Secure flag missing in cookies

Active Plug-ins

  • Performs scans against the target to
  • identify vulnerabilities
  • Executed only when the user explicitly
  • calls them
  • Fine-grained scanning support

Eg: Cross-site Scripting, SQL Injection

IronWASP performs Taint Analysis forDOM based XSS, identifies Sources and Sinks and traces them through the code. Also custom Source and Sink objects can be configured.