automating web testing beyond owasp webscarab using python
DESCRIPTION
Automating Web Testing Beyond OWASP WebScarab Using Python. Brad Causey OWASP Guy IISFA Guy [email protected]. About Brad. Survivalist MMA Local Cop Gun Enthusiast Married with 5 Kids. 2. About Brad. Instructor for 8 years Various Publications Books - PowerPoint PPT PresentationTRANSCRIPT
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
LASCON 2010Austin, Tx
http://www.owasp.org
Automating Web Testing Beyond OWASP WebScarab Using Python
Brad CauseyOWASP GuyIISFA [email protected]
LASCON 2010
About Brad
SurvivalistMMALocal CopGun EnthusiastMarried with 5 Kids
LASCON 2010
About Brad
Instructor for 8 yearsVarious PublicationsBooksBBVA Compass Security AnalystTraining videosOWASP GPCOWASP Alabama Chapter Lead IISFA Alabama Chapter Lead
LASCON 2010
Why are we here?
Have the need to Automate tests
Some of these are difficult
Adapt to the app
WebScarab and Python are pretty popular
LASCON 2010
Why WebScarab?
Open Source
Scriptable
Uses text to store data
Cross-Platform
Browser Agnostic
LASCON 2010
WS Configuration and Special Notes
Saved Session Structure
Scriptinghttp://www.owasp.org/index.php/
Scripting_in_WebScarabimport org.owasp.webscarab.model.HttpUrl;
import org.owasp.webscarab.model.Request; import org.owasp.webscarab.model.Response;
LASCON 2010
WS Advanced Features
Search
Extensions
Session ID Analysis
XSS
Tagging
LASCON 2010
WS Weaknesses
AJAX
Performance
Output Format
Reporting
LASCON 2010
Why Python?
Open Source Interpreter
Plain Text
Great Support
Cross-Platform
Text Processing
LASCON 2010
A Python Primer
very clear, readable syntaxstrong introspection capabilities intuitive object orientationnatural expression of procedural codeexception-based error handlingvery high level dynamic data typesextensive standard librariesembeddable within applications as a
scripting interface
LASCON 2010
Useful Python Libraries
string Built-in Library .find .index .count
LASCON 2010
Useful Python Libraries
urllib2 Built-in Library .urlopen
EncodingData (for request)
LASCON 2010
Gluing the two together
WebScarab Files
Python File Reader
WebScarab Storage in-depth
LASCON 2010
Possibilities are endless!
Http Methods testing
Post/Get fuzzing
Cookies? Yes! import cookielib, urllib2http://docs.python.org/library/cookielib.html
LASCON 2010
Demo!
http://cdn1.gamepro.com/article_img/gamepro/214635-1.jpg?rand=2487A2F8-E22A-95A8-2C5A303E3847C9A2
LASCON 2010
The Norris convention center?