Automating Web Testing Beyond OWASP WebScarab Using Python LASCON 2010 Austin, Tx Brad Causey OWASP Guy IISFA Guy [email protected] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or.
Download ReportTranscript Automating Web Testing Beyond OWASP WebScarab Using Python LASCON 2010 Austin, Tx Brad Causey OWASP Guy IISFA Guy [email protected] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or.
Automating Web Testing Beyond OWASP WebScarab Using Python LASCON 2010 Austin, Tx Brad Causey OWASP Guy IISFA Guy [email protected] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org About Brad Survivalist MMA Local Cop Gun Enthusiast Married with 5 Kids LASCON 2010 About Brad Instructor for 8 years Various Publications Books BBVA Compass Security Analyst Training videos OWASP GPC OWASP Alabama Chapter Lead IISFA Alabama Chapter Lead LASCON 2010 Why are we here? Have the need to Automate tests Some of these are difficult Adapt to the app WebScarab and Python are pretty popular LASCON 2010 Why WebScarab? Open Source Scriptable Uses text to store data Cross-Platform Browser Agnostic LASCON 2010 WS Configuration and Special Notes Saved Session Structure Scripting http://www.owasp.org/index.php/Scripting_in_ WebScarab import org.owasp.webscarab.model.HttpUrl; import org.owasp.webscarab.model.Request; import org.owasp.webscarab.model.Response; LASCON 2010 WS Advanced Features Search Extensions Session ID Analysis XSS Tagging LASCON 2010 WS Weaknesses AJAX Performance Output Format Reporting LASCON 2010 Why Python? Open Source Interpreter Plain Text Great Support Cross-Platform Text Processing LASCON 2010 A Python Primer very clear, readable syntax strong introspection capabilities intuitive object orientation natural expression of procedural code exception-based error handling very high level dynamic data types extensive standard libraries embeddable within applications as a scripting interface LASCON 2010 Useful Python Libraries string Built-in Library .find .index .count LASCON 2010 Useful Python Libraries urllib2 Built-in Library .urlopen Encoding Data (for request) LASCON 2010 Gluing the two together WebScarab Files Python File Reader WebScarab Storage in-depth LASCON 2010 Possibilities are endless! Http Methods testing Post/Get fuzzing Cookies? Yes! import cookielib, urllib2 http://docs.python.org/library/cookielib.html LASCON 2010 Demo! http://cdn1.gamepro.com/article_img/gamepro/ 214635-1.jpg?rand=2487A2F8-E22A-95A82C5A303E3847C9A2 LASCON 2010 The Norris convention center? LASCON 2010