Executive Summary On IronWASP CYBER SECURITY & PRIVACY FOUNDATION 1
Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners. GUI based and very easy to use, no security expertise required. Powerful and effective scanning engine. Supports recording Login sequence. Reporting in both HTML and RTF formats - Click here to view the sample report. Checks for over 25 different kinds of well-known web vulnerabilities. False Positives detection support. False Negatives detection support. Extensible via plug-ins or modules in Python, Ruby, C# or VB.NET CYBER SECURITY & PRIVACY FOUNDATION 2
Plugins: IronWASP has a plugin system that supports Python and Ruby. The version of Python and Ruby used in IronWASP is IronPython and IronRuby which is syntactically similar to CPython and CRuby. However some of the standard libraries might not be available, instead plugin authors can make use of the powerful IronWASP API. Lab Setup: Operating System: Windows XP Web Server: Xampp 1.7.3(PHP 5.3.1, Apache/2.2.14, MySQL 5.1.41) Web Application: BTS Lab Web Goat DVWA bwapp IronWASP Version: 0.9.8.4 CYBER SECURITY & PRIVACY FOUNDATION 3
Test Criteria: We have set up the test in the following categories. Cross Site Scripting. Cross Site Flashing Cross Site Request Forgery. Clickjacking. Server Side Request Forgery. File Inclusion. Insecure Direct Object Reference. Unrestricted File Upload Vulnerability. Open URL redirection. Broken Authentication and Session Management. Security Misconfiguration. Sensitive Data Exposure. Missing Function Level Access Control. Buffer Overflow. Header Injection. HTTP Parameter Pollution. Full Path Disclosure Source Code Disclosure. Bruteforce Login. Content Spoofing. Denial of Service. Fingerprinting. Information Leakage. SSI Injection. XML Injection. XPATH/XQuery Injection. SQL Injection. CYBER SECURITY & PRIVACY FOUNDATION 4
LDAP Injection. Command Injection. Code Injection. Insufficient Session Expiration HTTP Verb Tampering. Expression Language Injection. ORM Injection. IMAP/SMTP Injection. Using Components with Known Vulnerabilities. CYBER SECURITY & PRIVACY FOUNDATION 5
Passed Results: Session Fixation. X-Header Analysis. Web Server Identification. Missing HTTP Only Flag. Open URL Redirection. Reflected Cross Site Scripting. Stored Cross Site Scripting. DOM Based Cross Site Scripting. SQL Injection. Blind SQL Injection. Local File Inclusion. Remote File Inclusion. Directory Listing. Command Injection. Code Injection. XPATH Injection. Header Injection. Broken Authentication. Privilege Escalation. Failed Results: Cross Site Flashing. Server Side Request Forgery. SSI Injection. CYBER SECURITY & PRIVACY FOUNDATION 6
Vulnerability discovery features not found in IronWASP: Insecure Direct Object Reference. Unrestricted File Upload Vulnerability. Buffer Overflow. HTTP Parameter Pollution. Full Path Disclosure. Source Code Disclosure. Bruteforce Login. Content Spoofing. Denial of Service. XML Injection. HTTP Verb Tampering. ORM Injection. IMAP/SMTP Injection. Features not yet tested: LDAP Injection. Expression Language Injection. CYBER SECURITY & PRIVACY FOUNDATION 7
Conclusion: We observed that IronWASP is able to detect most of the vulnerabilities that it claims it can find, and we also noticed that it has the least number of "false positives" for a tool of this kind. We believe that it has raised the standards of what a "Web Vulnerability Scanner" should comprise of. We hope that IronWASP includes the features that we marked as "feature not present" in the future releases. We also recommend that the developers work both UI and Ease of use if they want it to gain wide spread usage. The overall rating that we give IronWASP is 8/10 CYBER SECURITY & PRIVACY FOUNDATION 8