Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: web application testing framework

from [Dan Cornell] Network Security [Permanent Link]
Subject: RE: web application testing framework
Date: Tue, 13 Sep 2005 06:48:36 -0500 

We use WATIR (Web Application Tests In Ruby) <http://wtr.rubyforge.org/> rather 
than Selenium and have had really good luck.  This is helpful both for general 
automated integration testing as well as positive testing for security.  It 
actually drives an Internet Explorer browser so all of the JavaScript and 
whatnot execute as they would for a normal user.  We have seen some reliability 
problems when we run it in "fast" mode or if we don't have it drive a visual 
browser on the screen.  In normal mode, however, it has been pretty stable.  We 
have only used it on Windows so I am not sure if it will drive Mozilla on Linux.

For negative testing we tend to use one of the Perl HTTP libraries.  This lets 
us send "malicious" inputs where we need to bypass JavaScript validation on the 
client side.  I'm not sure which we have been using most recently but I can 
check later today.  There are a couple available that allow you to run an HTTP 
session that will keep track of session cookies, etc.  This lets you set up 
your application session and navigate to wherever you are testing.  You can 
then modify the request before it goes out and add the injection payload, 
modified cookies, etc and search through the response HTML to see if the 
"attack" worked.

We use these in combination often when we are doing security remediation to set 
up a baseline of existing behavior (both good and bad) so we have something to 
compare the remediated codebase to.  When we start the positive tests pass and 
the negative tests fail.  When we are finished all tests should pass.

Hope this helps.

Thanks,

Dan


-----Original Message-----
From: Serg Belokamen [mailto:serg.belokamen@gmail.com]
Sent: Tue 9/13/2005 2:11 AM
To: webappsec@lists.securityfocus.com
Subject: web application testing framework
 
Hi All, 

   Does any one know or aware of any web application testing
frameworks? I would prefer something along the lines of Selenium
(http://selenium.thoughtworks.com/index.html) and open source.
Preferably usable from both Linux and Windows, one of the OS mentioned
would do as well, but both would be even better.

   Thanks,
      Serg
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: web application testing framework, Patrick Debois
Next by Date:  Re: web application testing framework, Stephen de Vries
Previous by Thread:  Re: web application testing framework, Stephen de Vries
Next by Thread:  Is netcraft publishing URL of your intranet sites?, Saqib Ali
Indexes:  [Date] [Thread] [Top] [All Lists]