Thursday, September 19, 2013

Two new IronWASP Modules - IronSAP and SSLSecurityChecker

NOTE: Find out what else is new in IronWASP version from this release announcement post

IronSAP - SAP Security Scanner

IronSAP by Prasanna was the first module written for IronWASP and was supposed to be the released last year but after being stuck in development hell for while its finally out.

IronSAP automatically identifies most of the common and well known vulnerabilities associated with SAP installations. To get a good idea of the type of issues identified check out the slides from the IronSAP talk at nullcon Delhi.

IronSAP is incredibly easy to use. You can launch it from the 'SAP Security' section of the 'Modules' menu.
Once you do that you should get the usual authorization prompt.

After you click past it you are presented with a very simple and easy UI. Just enter the IP address of the system where SAP is installed and hit 'Start' and you should see the results of the scan appear in the results section below.

The source code for IronSAP is available on Github, but be warned <British accent> it is beautifully, unapologetically plastic spaghetti code </British accent> ;)

SSL Security Checker:

SSL Security Checker by Manish is another very easy to use module, it automatically checks the strength and security of any SSL service.

SSL Security Checker can be found in the 'Scanners' section of the 'Modules' menu.

Clicking that would give you the authorization prompt.

Once past that you get a very simple UI, enter target hostname and port and hit 'Go'. Once the tool is running you can see updates on the checks it is performing.
After all checks are completed the final results are displayed to you.

The source code for SSL Security Checker is available on Github, Manish also wrote a detailed post about how he created this module.

If you have an idea for creating a web security tool then IronWASP provides the best platform to turn your idea in to working code. If you would need help getting started then shoot me an email, I would be happy to help :)

No comments:

Post a Comment