ronwasp by Lavakumar is another great web application pentesting tools and like ZAP it also provides application proxy to intercept and perform manual testing. It has certain other features which are not provided by other similar tools, such as SSRF exploitation, SAP scanner and Scripting within the interface. Under the tools tab we can get two features ‘WebSocket Message Extractor’ and ‘WebSocket Client’ which are very helpful when conducting security assessment of web applications utilizing WebSockets.

Here are some reasons why IronWASP is great:

  • It’s Free and Open source
  • GUI based and very easy to use, no security expertise required
  • Powerful and effective scanning engine
  • Supports recording Login sequence
  • Reporting in both HTML and RTF formats – Click here to view the sample report
  • Checks for over 25 different kinds of well known web vulnerabilities
  • False Positives detection support
  • False Negatives detection suppport
  • Industry leading built-in scripting engine that supports Python and Ruby
  • Extensibile via plug-ins or modules in Python, Ruby, C# or VB.NET
  • Comes bundled with a growing number of Modules built by researchers in the security community.
    • WiHawk – WiFi Router Vulnerability Scanner by Anamika Singh
    • XmlChor – Automatic XPATH Injection Exploitation Tool by Harshal Jamdade
    • IronSAP – SAP Security Scanner by Prasanna K
    • SSL Security Checker – Scanner to discover vulnerabilities in SSL installations by Manish Saindane
    • OWASP Skanda – Automatic SSRF Exploitation Tool by Jayesh Singh Chauhan
    • CSRF PoC Generator – Tool for automatically generating exploits for CSRF vulnerabilities by Jayesh Singh Chauhan
    • HAWAS – Tool for automatically detecting and decoding encoded strings and hashes in websites by Lavakumar Kuppan

Permanent link to this article: