IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.

It's Free and Open source
GUI based and very easy to use, no security expertise required
Powerful and effective scanning engine
Supports recording Login sequence
Reporting in both HTML and RTF formats
Checks for over 25 different kinds of well known web vulnerabilities
False Positives detection support
False Negatives detection suppport
Industry leading built-in scripting engine that supports Python and Ruby
Extensibile via plug-ins or modules in Python, Ruby, C# or VB.NET
Comes bundled with a growing number of Modules built by researchers in the security community.
    WiHawk - WiFi Router Vulnerability Scanner by Anamika Singh
    XmlChor - Automatic XPATH Injection Exploitation Tool by Harshal Jamdade
    IronSAP - SAP Security Scanner by Prasanna K
    SSL Security Checker - Scanner to discover vulnerabilities in SSL installations by Manish Saindane
    OWASP Skanda - Automatic SSRF Exploitation Tool by Jayesh Singh Chauhan
    CSRF PoC Generator - Tool for automatically generating exploits for CSRF vulnerabilities by Jayesh Singh Chauhan
    HAWAS - Tool for automatically detecting and decoding encoded strings and hashes in websites by Lavakumar Kuppan



The False Positive Detection Support is provided by the scanner giving precise and detailed information on how a vulnerability was detected and why it was reported along with instructions on how to test if it is a False Positive. The False Negative Detection Support is made possible through Anomaly detection. This is most likely the first time that Anomaly detection technique is used in the context of web security scanning. Details on how these systems function and achieve their claimed goals is available below. But before that, if you are not very familiar with how web security scanners work and why False Positives and False Negatives occur, then the next section will bring you up to speed.

The Basics:
 False Positives and False Negatives are an unfortunate reality with web vulnerability scanners. Before we delve into the details let's clarify the terminology first.

False Positive: 
When a scanner reports that a particular vulnerability is present on the scanned application but in reality this vulnerability does not exist in the application, it is called a False Positive. False Positives occur when a scanner incorrectly determines that a vulnerability is present in an application.

False Negative: 
When a vulnerability is actually present in an application but a scanner fails to detect its presence, it is called a False Negative.

Đăng nhận xét Blogger

 
Top