IronWASP – Open Source Web Security Testing Platform

Lavakumar Kuppan

Tue, 9th April 2013


IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.


Questions and answers

Max, Concise Courses:
There are a couple of vulenrability products out there, can you be as specific as possible to key differences between your solution and and Burp Suite or OWASP Zed Attack Proxy Project? Are there any key differences that you can highlight?

Lavakumar Kuppan:
There is one key difference I would like to highlight. These are very good tools, no doubt about it. IronWASP has a lot of overlap in terms of features and added tools. For example if you were using IronWASP you might not necessarily miss out on any of the specific features that you find in the other security tools, but one key advantage with IronWASP is the scripting integration. There are no tools available which has such a tight integration with scripting. [IronWASP] has a coding assistant which automatically generates code for you that makes scripting very easy.


Max, Concise Courses:
We need to mention where people can download this security tool, so can you share exactly where to get access for the tool?

Lavakumar Kuppan:
Easy the name of the tool is IronWASP which is hosted at IronWASP.org. It’s a .NET tool but it also runs on Windows, Linux as well as MAC.


Max, Concise Courses:
Distribution strategy: what are you doing with that respect? Obviously word of mouth is key with this, but what else are you doing? I’m always interested because you do this for the good of the greater community in essence to help your fellow pentesters to solve problems. Outside of word of mouth, have you any plans to spread the word, i.e. helping people become aware of the product?

Lavakumar Kuppan:
I do speak about IronWASP at conferences. One thing I plan to do is start a community with a forum that people can come in and talk about the tool and another thing whenever there is a new announcement I usually mention it on Twitter. I think that Twitter is probably the best place to learn about IronWASP. Another thing is the module facility of IronWASP which lets another people create their own tools. I am hoping that because I am helping other tool creators they would promote IronWASP as well.


Max, Concise Courses:
What plugins are you thinking of introducing in 2013 or would you like to see developed by the community?

Lavakumar Kuppan:
There are a couple of plugins that I have that I have in mind right now. I am going to revamp the existing set of plugins with new algorithms. Other than that [I am interested] in http hash tools and Server Side Request Forgeries. These are two vulnerabilities I would want to write plugins for. If someone else is going to write them then I’d be more than happy to include them. In terms of passive plugins I don’t have any specific topics in mind, but there are a lot of things that could be covered. So if anyone is interested they could shoot me an email. The plugins are actually written in Python and Ruby so if anyone is willing to contribute they can send me a pull request and it could be part of the project.


Max, Concise Courses:
Is IronWASP prepared for the 802.11ac platform?

Lavakumar Kuppan:
I have no idea what that means! [For those interested in wireless security 802.11ac follow this link]

Max, Concise Courses:
When is the new version of IronWASP coming out?

Lavakumar Kuppan:
The new version with the new features which I have spoken about is going to come out hopefully in a couple of days once I am sure that all the bugs have been taken out.

Max, Concise Courses:
Do you have any other future projects that you would like to share with us at this stage?

Lavakumar Kuppan:
There is one project that I am working on, called: Static JavaScript Analyzer. It’s a big project and I spoke about it at Null Con last month. So once the IronWASP update is out I will start working on the JavaScript Static Analyzer which hopefully should be out in a couple of months. Once it is out it will be the first open source Static JavaScript Analyzer specifically for detecting security vulnerabilities.