Automating Web Testing Beyond OWASP WebScarab Using Python LASCON 2010 Austin, Tx Brad Causey OWASP Guy IISFA Guy [email protected] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or.
Download
Report
Transcript Automating Web Testing Beyond OWASP WebScarab Using Python LASCON 2010 Austin, Tx Brad Causey OWASP Guy IISFA Guy [email protected] Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or.
Automating Web Testing
Beyond
OWASP WebScarab Using
Python
LASCON 2010
Austin, Tx
Brad Causey
OWASP Guy
IISFA Guy
[email protected]
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
About Brad
Survivalist
MMA
Local Cop
Gun Enthusiast
Married with 5 Kids
LASCON 2010
About Brad
Instructor for 8 years
Various Publications
Books
BBVA Compass Security Analyst
Training videos
OWASP GPC
OWASP Alabama Chapter Lead
IISFA Alabama Chapter Lead
LASCON 2010
Why are we here?
Have the need to Automate tests
Some of these are difficult
Adapt to the app
WebScarab and Python are pretty popular
LASCON 2010
Why WebScarab?
Open Source
Scriptable
Uses text to store data
Cross-Platform
Browser Agnostic
LASCON 2010
WS Configuration and Special Notes
Saved Session Structure
Scripting
http://www.owasp.org/index.php/Scripting_in_
WebScarab
import org.owasp.webscarab.model.HttpUrl;
import org.owasp.webscarab.model.Request;
import org.owasp.webscarab.model.Response;
LASCON 2010
WS Advanced Features
Search
Extensions
Session ID Analysis
XSS
Tagging
LASCON 2010
WS Weaknesses
AJAX
Performance
Output Format
Reporting
LASCON 2010
Why Python?
Open Source Interpreter
Plain Text
Great Support
Cross-Platform
Text Processing
LASCON 2010
A Python Primer
very clear, readable syntax
strong introspection capabilities
intuitive object orientation
natural expression of procedural code
exception-based error handling
very high level dynamic data types
extensive standard libraries
embeddable within applications as a scripting
interface
LASCON 2010
Useful Python Libraries
string
Built-in Library
.find
.index
.count
LASCON 2010
Useful Python Libraries
urllib2
Built-in Library
.urlopen
Encoding
Data (for request)
LASCON 2010
Gluing the two together
WebScarab Files
Python File Reader
WebScarab Storage in-depth
LASCON 2010
Possibilities are endless!
Http Methods testing
Post/Get fuzzing
Cookies? Yes!
import cookielib, urllib2
http://docs.python.org/library/cookielib.html
LASCON 2010
Demo!
http://cdn1.gamepro.com/article_img/gamepro/
214635-1.jpg?rand=2487A2F8-E22A-95A82C5A303E3847C9A2
LASCON 2010
The Norris convention center?
LASCON 2010