WebApp Sec mailing list archives
RE: web application testing framework
From: "Dan Cornell" <dan () denimgroup com>
Date: Tue, 13 Sep 2005 06:48:36 -0500
We use WATIR (Web Application Tests In Ruby) <http://wtr.rubyforge.org/> rather than Selenium and have had really good luck. This is helpful both for general automated integration testing as well as positive testing for security. It actually drives an Internet Explorer browser so all of the JavaScript and whatnot execute as they would for a normal user. We have seen some reliability problems when we run it in "fast" mode or if we don't have it drive a visual browser on the screen. In normal mode, however, it has been pretty stable. We have only used it on Windows so I am not sure if it will drive Mozilla on Linux. For negative testing we tend to use one of the Perl HTTP libraries. This lets us send "malicious" inputs where we need to bypass JavaScript validation on the client side. I'm not sure which we have been using most recently but I can check later today. There are a couple available that allow you to run an HTTP session that will keep track of session cookies, etc. This lets you set up your application session and navigate to wherever you are testing. You can then modify the request before it goes out and add the injection payload, modified cookies, etc and search through the response HTML to see if the "attack" worked. We use these in combination often when we are doing security remediation to set up a baseline of existing behavior (both good and bad) so we have something to compare the remediated codebase to. When we start the positive tests pass and the negative tests fail. When we are finished all tests should pass. Hope this helps. Thanks, Dan -----Original Message----- From: Serg Belokamen [mailto:serg.belokamen () gmail com] Sent: Tue 9/13/2005 2:11 AM To: webappsec () lists securityfocus com Subject: web application testing framework Hi All, Does any one know or aware of any web application testing frameworks? I would prefer something along the lines of Selenium (http://selenium.thoughtworks.com/index.html) and open source. Preferably usable from both Linux and Windows, one of the OS mentioned would do as well, but both would be even better. Thanks, Serg
Current thread:
- web application testing framework Serg Belokamen (Sep 13)
- Re: web application testing framework Patrick Debois (Sep 13)
- Re: web application testing framework Stephen de Vries (Sep 13)
- <Possible follow-ups>
- RE: web application testing framework Dan Cornell (Sep 13)