I use a little home-built thing to do these kinds of regression tests on our own web services. It walks through a YAML file with tests: https://github.com/lifeforms/httpcheck
I started to write tests for CRSv3, but I didn’t get very far, because I got stuck on the PHP rules issue. Here is the start of my httpcheck manifest with some SQLi tests: http://lf.ms/crsv3.yaml I just do 'httpcheck -i crsv3.yaml -u http://localhost/' to run them on a server. It’s in Go though, because I wanted to test lots of servers concurrently and I wanted it to be fast, so it was a good excuse to try Go. Maybe it’s even a good excuse to learn about its C bindings with libmodsecurity in the future :) Ultimately it could be any tool, I’m not really familiar with the Python world, but I’m in favor of anything that makes it very easy to write a test. Something like just adding a simple line to a file, but with options for doing advanced stuff like POST data, cookies and custom headers. I personally hate writing correct JSON (that trailing comma…) or XML. But I find YAML pretty nice for this case. Cheers! WH > On 22 Feb 2016, at 21:47, Chaim Sanders <csand...@trustwave.com> wrote: > > You’ll note that I have a ticket for updating the regression tests. I > think that this is something that we should look into more. Potentially, a > framework that leverages Python’s Requests Library? My strong preference > is towards python in these types of things, I might be convinced into > using bash curl. Perl need not apply :-P thoughts? > > On 2/22/16, 3:03 PM, "Christian Folini" <christian.fol...@netnea.com> > wrote: > >> On Mon, Feb 22, 2016 at 07:57:50PM +0000, Chaim Sanders wrote: >>> Actually I¹m really shocked about this. But this is why we have a >>> community :). >> >> We desperately need QA for the core rules. >> >> Alternatively, we could also get hold of Walter and dump his >> brain into an analysis engine. His familiarity with all the >> individual rules is most exceptional. >> >> Christian >> >> >> -- >> Croyez ceux qui cherchent la vérité, doutez de ceux qui la trouvent. >> -- André Gide > > > ________________________________ > > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is strictly prohibited. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- Walter Hop | PGP key: https://lifeforms.nl/pgp
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
