Présentation : IronWASP is a high-extendable open source system for web application vulnerability testing. In this blog post I m going to walk through the process of porting existing security tools with available source code into IronWASP modules. For this, I will be using TestSSLServer http www.bolet.org TestSSLServer , a simple command line tool that can be used to test the SSL TLS security configuration of a remote HTTP server. The benefit of using this tool is that it does not require OpenSSL or any other dependencies. I ll be using the .NET port for this example. Lets begin by understanding what an IronWASP module is. IronWASP has a concept of plugins and modules. A module in this sense could be a standalone tool that may or may not use any of the built-in API methods provided by IronWASP. These could be tools that you may want to keep handy in your web security testing arsenal, which would not be categorised as plugins. Modules can be written in either Ruby, Python, C or VB.Net. I will be coding my module in Ruby. The various challenges we may face when creating such modules would include Exporting methods and debug events from the original tool to be consumed by our module Building user friendly GUI elements for the module Running the tool in a background thread so that the IronWASP UI does not hang while the module completes its task. Lets go ahead and handle these step by step. To begin the process, use the built-in wizard to create a basic template. This can be found in Dev Tools Coding Assistants Module Creation Assistant . After the basic template is in place, we can get to the original tool and prepare it to be ported into a module. First thing that I needed to do was to export certain information events from the tool that I could use within the module to display to the user what the tool was doing. In this case this can be done by creating an event in the C code. Events can be created using a delegate. See the example code below for creating the delegate and event. public delegate void OutputMessageEvent string Output public event OutputMessageEvent OutputMessage remove static public bool OutputEventSet get if OutputMessage null return false else return true public void DebugOutput string Output if OutputMessage null try OutputMessage Output n catch We then use the DebugOutput public method to return the data as a string. I have used this method in various places in the code to create a run trace of the application. This will be later consumed from the module code and the return string will be displayed to the user. The following code is used in the Ruby module to track these events and display in the output text box Handle the output events thrown by the TestSSLServer dll and print the messages if not tss.output_event_set _outputText.Text tss.output_message do msg _outputText.AppendText msg end end Next I had to replace all the Console.WriteLine calls and instead, collect them in a Stringbuilder which will be used to store the results and return them at the end of execution. This should be sufficent to start building our module. I compiled the TestSSLServer.cs file into a DLL which I will be using in my Ruby module. The next step is to create a GUI that the user would use to test the SSL TLS server. IronWASP has a built-in GUI designer that provides the most frequently used GUI controls needed for creating modules. To begin, open the GUI designer from Dev Tools UI Designer Designing the GUI is straightforward and if you have designed a GUI using Visual Studio, then you will find it familiar. Once you have created a basic GUI that you are happy with, click the Generate Code option in the UI designer. This will generate the required code for creating the GUI elements that can be included in the module code. The UI designer generates code in Ruby, Python and XML. The Ruby and Python code can be used directly in the module code whereas the XML is used in case you need to make any further changes to the GUI later, so remember to save the XML along with the Ruby or Python code. In this example, the GUI code can be found in the startUI method of SSLSecurityChecker.rb Here is a screenshot of the UI designer with the GUI created for this module. The next challenge is to execute the module code in a background thread. IronWASP makes it very easy for module and plugin developers to handle threading code. I make use of the IronThread class provided by the IronWASP API to execute the RunChecks method. See https github.com Lavakumar IronWASP blob master IronWASP IronThread.cs for more details on IronThread class and how it can be used in your module code. In this scenario I use the Run method from the IronThread class. This functionality is handled within the Click event for the Go button. Event handler for the Go button _goBtn.Click do For running the code in a background thread, use the IronThread class IronThread.Run Proc.new do exec_checks hostNameValue.Text, _portValue.Text, _outputText end end Now our module is ready. This module can be executed from the IronWASP Modules tab. Once the module is executed, the run trace created using the event in the original tool is displayed in the Output window. When the module completes the execution of the tests, the final result is displayed in the Output window as shown below This way we can port existing tools to IronWASP as modules or create out own modules using Ruby. Python, C or VB.Net. Modules can make use of the full IronWASP API. The complete code for this example can be found here https github.com GDSSecurity SSLSecurityChecker
Les mots clés de la revue de presse pour cet article : security Les videos sur SecuObs pour les mots clés : security Les mots clés pour les articles publiés sur SecuObs : security Les éléments de la revue Twitter pour les mots clé : security
Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 126.96.36.199 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 188.8.131.52 to any 80"
- Nous contacter par mail