Twitter
« AlienVault OSSIM 4.2 - Enabling Custom Install | Main | Avoiding Residual SSH Keys on Ubuntu AMIs »
Tuesday
Sep032013

Porting Existing Security Tools to IronWASP Modules

IronWASP is a high-extendable open source system for web application vulnerability testing. In this blog post I’m going to walk through the process of porting existing security tools (with available source code) into IronWASP modules. For this, I will be using TestSSLServer (http://www.bolet.org/TestSSLServer/), a simple command line tool that can be used to test the SSL/TLS security configuration of a remote HTTP server. The benefit of using this tool is that it does not require OpenSSL or any other dependencies. I’ll be using the .NET port for this example.

Lets begin by understanding what an IronWASP module is. IronWASP has a concept of plugins and modules. A module in this sense could be a standalone tool that may or may not use any of the built-in API methods provided by IronWASP. These could be tools that you may want to keep handy in your web security testing arsenal, which would not be categorised as plugins. Modules can be written in either Ruby, Python, C# or VB.Net. I will be coding my module in Ruby.

The various challenges we may face when creating such modules would include:

  • Exporting methods and debug events from the original tool to be consumed by our module

  • Building user friendly GUI elements for the module

  • Running the tool in a background thread so that the IronWASP UI does not hang while the module completes its task.

Lets go ahead and handle these step by step. To begin the process, use the built-in wizard to create a basic template. This can be found in ‘Dev Tools > Coding Assistants > Module Creation Assistant’.

After the basic template is in place, we can get to the original tool and prepare it to be ported into a module. First thing that I needed to do was to export certain information events from the tool that I could use within the module to display to the user what the tool was doing. In this case this can be done by creating an event in the C# code. Events can be created using a delegate. See the example code below for creating the delegate and event.

public delegate void OutputMessageEvent(string Output);

public event OutputMessageEvent OutputMessage; //remove static

public bool OutputEventSet

{

   get

   {

       if (OutputMessage == null)

       {

           return false;

       }

       else

       {

           return true;

       }

   }

}

public void DebugOutput(string Output)

{

   if (OutputMessage != null)

   {

       try

       {

           OutputMessage(Output+”\n”);

       }

       catch

       { }

   }

}

We then use the ‘DebugOutput’ public method to return the data as a string. I have used this method in various places in the code to create a run trace of the application. This will be later consumed from the module code and the return string will be displayed to the user.

The following code is used in the Ruby module to track these events and display in the output text box:

# Handle the output events thrown by the TestSSLServer dll and print the messages

if not @tss.output_event_set

 _outputText.Text = “”

 @tss.output_message do |msg|

   _outputText.AppendText(msg)

 end

end

Next I had to replace all the ‘Console.WriteLine’ calls and instead, collect them in a ‘Stringbuilder’ which will be used to store the results and return them at the end of execution. This should be sufficent to start building our module. I compiled the TestSSLServer.cs file into a DLL which I will be using in my Ruby module.

The next step is to create a GUI that the user would use to test the SSL/TLS server. IronWASP has a built-in GUI designer that provides the most frequently used GUI controls needed for creating modules. To begin, open the GUI designer from ‘Dev Tools > UI Designer’

Designing the GUI is straightforward and if you have designed a GUI using Visual Studio, then you will find it familiar. Once you have created a basic GUI that you are happy with, click the ‘Generate Code’ option in the UI designer. This will generate the required code for creating the GUI elements that can be included in the module code. The UI designer generates code in Ruby, Python and XML. The Ruby and Python code can be used directly in the module code whereas the XML is used in case you need to make any further changes to the GUI later, so remember to save the XML along with the Ruby or Python code. In this example, the GUI code can be found in the ‘startUI’ method of SSLSecurityChecker.rb

Here is a screenshot of the UI designer with the GUI created for this module.


The next challenge is to execute the module code in a background thread. IronWASP makes it very easy for module and plugin developers to handle threading code. I make use of the ‘IronThread’ class provided by the IronWASP API to execute the ‘RunChecks’ method. See https://github.com/Lavakumar/IronWASP/blob/master/IronWASP/IronThread.cs for more details on IronThread class and how it can be used in your module code. In this scenario I use the ‘Run’ method from the IronThread class. This functionality is handled within the ‘Click’ event for the ‘Go’ button.

# Event handler for the Go button

_goBtn.Click  do

   # For running the code in a background thread, use the IronThread class

   IronThread.Run(

       Proc.new do

           exec_checks(_hostNameValue.Text, _portValue.Text, _outputText)

       end

   )

end

Now our module is ready. This module can be executed from the IronWASP Modules tab.

Once the module is executed, the run trace created using the event in the original tool is displayed in the Output window.

When the module completes the execution of the tests, the final result is displayed in the Output window as shown below

This way we can port existing tools to IronWASP as modules or create out own modules using Ruby. Python, C# or VB.Net. Modules can make use of the full IronWASP API.

The complete code for this example can be found here: https://github.com/GDSSecurity/SSLSecurityChecker

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.