Detailed Web Application Scanner Information - IronWASP

Logo	Scanner	Version		Vendor
	IronWASP	0.9.7.4		Lavakumar Kuppan

Tested Against WAVSEP Version:

1.5

Product Details:

Accurate Version	License / Technology	Last Update	Source Code Activity
0.9.7.4 (GA)	GPL3 .Net 2.0	16-12-2013	16-12-2013 Source Code

General Features:

GUI	Config	Usage	Stability	Performance	Report	ScanLog	Pause	Session
	Very Simple	Very Simple	Stable	Fast

Authentication, Control and Connection Features:

Custom
Cookie

Custom
Header

B
A
S
I
C

D
I
G
E
S
T

N
T
L
M

N
T
L
M
v
2

K
E
R
B
E
R
O
S

F
O
R
M

PROXY

GZIP

DEFLATE

SSL

CERT

Logout
Detection

Exclude
Logout

Exclude
URL

Exclude
Param

Coverage Features:

C
O
U
N
T

Manual
Crawl

URL
File

Html
Crawler

Ajax
Crawler

Flash
Crawler

Applet
Crawler

Silverlight
Crawler

WSDL
Crawler

REST
Crawler

Field
Autofill

Smart
Autofill

Anti
CSRF
Support

Viewstate
Support

CAPTCHA
Bypass

WAF
Bypass

Input Vector Support:

C
O
U
N
T

G
E
T

P
O
S
T

C
O
O
K
I
E

H
E
A
D
E
R

S
E
C
R
E
T

P
N
a
m
e

X
M
L

X
m
l
A
T
T

X
m
l
T
A
G

J
S
O
N

.
N
e
t
E
N
C

A
M
F

J
a
v
a
S
E
R

.
N
e
t
S
E
R

W
C
F

W
C
F
-
B
i
n

W
e
b
S
o
c
k

D
W
R

C
u
s
t
o
m

Audit Features:

C
O
U
N
T

S
Q
L
i

B
S
Q
L
i

S
S
J
S
i

R
X
S
S

P
X
S
S

D
X
S
S

J
S
O
N
h

L
F
I

R
F
I

C
M
D
E
x
e
c

U
P
L
O
A
D

R
E
D
I
R
E
C
T

C
R
L
F
i

L
D
A
P
i

X
P
A
P
H
i

M
X
i

S
S
I

F
O
R
M
A
T
i

C
O
D
E
i

X
M
L
i

E
L
i

B
U
F
F
E
R
o

I
N
T
E
G
E
R
o

C
O
D
E
D
i
s
c

B
A
C
K
U
P
f

P
A
D
D
I
N
G

A
U
T
H
b

P
R
I
V
e

X
X
E

S
E
S
S
I
O
N

F
I
X
A
T
I
O
N

C
S
R
F

A
D
o
S

Complimentary Audit Features:

WebServer Hardening	CGI Scanning	Dir & File Enumeration	Passive Analysis	Additional Features
				Supports custom input vectors (!): fuzzing a custom part of the protocol - almost unique among open source scanners. Ready to use format plugins for Multipart, etc - and as far as I know its the only open source scanner that can scan these input vectors.

The SQL Injection Detection Accuracy of the Scanner:

Detection Accuracy

Chart

99.26% Detection Rate
0.00% False Positives

(135/136)
(0/10)

The Reflected XSS Detection Accuracy of the Scanner:

Detection Accuracy

Chart

100.00% Detection Rate
0.00% False Positives

(66/66)
(0/7)

The Path Traversal / Local File Inclusion Detection Accuracy of the Scanner:

Detection Accuracy

Chart

53.06% Detection Rate
0.00% False Positives

(433/816)
(0/8)

The Remote File Inclusion Detection Accuracy of the Scanner:

Detection Accuracy

Chart

77.78% Detection Rate
0.00% False Positives

(84/108)
(0/6)

Additional Audit Features:

IronSAP (SAP testing), HAWAS (Hybrid), SSL Scanner, Exploitation (SSRF, CSRF), A partial list of passive features: Password in URL, Password sent in cleartext HTTP, Basic Authentication over Cleartext Communication, Cookie without http-only flag, Cookie without secure flag (in SSL), Cross-domain xml policy analysis, Server Version Disclosure, Various session & html issues, Autocomplete. Partial support for PXSS, DXSS and External Redirect (potential detection - without verification), SSRF.

Additional Features:

Supports custom input vectors (!): fuzzing a custom part of the protocol - almost unique among open source scanners. Ready to use format plugins for Multipart, etc - and as far as I know its the only open source scanner that can scan these input vectors.

Overview:

Authentication support & antiCSRF support & complex multiphase scenarios can be implemented via the session plugins. A great tool for testing applications that use non-standard input delivery methods. Specifically useful for manual testing.