WebApp Sec mailing list archives

RE: web application testing framework

From: "Dan Cornell" <dan () denimgroup com>
Date: Tue, 13 Sep 2005 06:48:36 -0500


We use WATIR (Web Application Tests In Ruby) <http://wtr.rubyforge.org/> rather than Selenium and have had really good 
luck.  This is helpful both for general automated integration testing as well as positive testing for security.  It 
actually drives an Internet Explorer browser so all of the JavaScript and whatnot execute as they would for a normal 
user.  We have seen some reliability problems when we run it in "fast" mode or if we don't have it drive a visual 
browser on the screen.  In normal mode, however, it has been pretty stable.  We have only used it on Windows so I am 
not sure if it will drive Mozilla on Linux.

For negative testing we tend to use one of the Perl HTTP libraries.  This lets us send "malicious" inputs where we need 
to bypass JavaScript validation on the client side.  I'm not sure which we have been using most recently but I can 
check later today.  There are a couple available that allow you to run an HTTP session that will keep track of session 
cookies, etc.  This lets you set up your application session and navigate to wherever you are testing.  You can then 
modify the request before it goes out and add the injection payload, modified cookies, etc and search through the 
response HTML to see if the "attack" worked.

We use these in combination often when we are doing security remediation to set up a baseline of existing behavior 
(both good and bad) so we have something to compare the remediated codebase to.  When we start the positive tests pass 
and the negative tests fail.  When we are finished all tests should pass.

Hope this helps.

Thanks,

Dan


-----Original Message-----
From: Serg Belokamen [mailto:serg.belokamen () gmail com]
Sent: Tue 9/13/2005 2:11 AM
To: webappsec () lists securityfocus com
Subject: web application testing framework
 
Hi All, 

   Does any one know or aware of any web application testing
frameworks? I would prefer something along the lines of Selenium
(http://selenium.thoughtworks.com/index.html) and open source.
Preferably usable from both Linux and Windows, one of the OS mentioned
would do as well, but both would be even better.

   Thanks,
      Serg

Current thread:

web application testing framework Serg Belokamen (Sep 13)
- Re: web application testing framework Patrick Debois (Sep 13)
- Re: web application testing framework Stephen de Vries (Sep 13)
- <Possible follow-ups>
- RE: web application testing framework Dan Cornell (Sep 13)