IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.
- Analyzes all traffic going through the tool
- Can also modify the traffic
- Identifies vulnerabilities passively
Eg: Passwords sent over clear-text, Http-Only /Secure flag missing in cookies
- Performs scans against the target to
- identify vulnerabilities
- Executed only when the user explicitly
- calls them
- Fine-grained scanning support
Eg: Cross-site Scripting, SQL Injection
IronWASP performs Taint Analysis forDOM based XSS, identifies Sources and Sinks and traces them through the code. Also custom Source and Sink objects can be configured.
Version: DotDotPwn v3.0
Release date: 03/Feb/2012 (Release at BugCon Security Conferences 2012)
Changes / Enhancements / Features:
- -X switch that implements the Bisection Algorithm in order to detect the exact deepness once a directory traversal vulnerability has been found. - http://en.wikipedia.org/wiki/Bisection_method
- -M switch to specify another method different from the default (GET) when the http module is used.
- Other HTTP methods are [POST | HEAD | COPY | MOVE]
- -e switch to specify the file extension to be appended at the end of each fuzz string (e.g. ".php", ".jpg", ".inc")
- New dots & slashes encodings (fuzz patterns) based on: https://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode and http://wikisecure.net/security/uri-encoding-to-bypass-idsips
- HTTP URL
- Payload (Protocol independent)
Feel free to download this new release from the following sites:
Contact us: email@example.com