I belive in the near future I’m going to get a little more control over the priority of my schedule. After we complete v3.0.0-rc1 I would really like to turn my attention to providing an external QA environment for CRS.
From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Walter Hop Sent: Friday, February 26, 2016 4:48 PM To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] Paranoia Mode: Forgotten controversial ... I use a little home-built thing to do these kinds of regression tests on our own web services. It walks through a YAML file with tests: https://github.com/lifeforms/httpcheck<http://scanmail.trustwave.com/?c=4062&d=kc_Q1oM1YR_rcMW4t6crL9CqZTsho19pU89ACbNb1Q&s=5&u=https%3a%2f%2fgithub%2ecom%2flifeforms%2fhttpcheck> I started to write tests for CRSv3, but I didn’t get very far, because I got stuck on the PHP rules issue. Here is the start of my httpcheck manifest with some SQLi tests: http://lf.ms/crsv3.yaml<http://scanmail.trustwave.com/?c=4062&d=kc_Q1oM1YR_rcMW4t6crL9CqZTsho19pU58eWbEKgw&s=5&u=http%3a%2f%2flf%2ems%2fcrsv3%2eyaml> I just do 'httpcheck -i crsv3.yaml -u http://localhost/' to run them on a server. It’s in Go though, because I wanted to test lots of servers concurrently and I wanted it to be fast, so it was a good excuse to try Go. Maybe it’s even a good excuse to learn about its C bindings with libmodsecurity in the future :) Ultimately it could be any tool, I’m not really familiar with the Python world, but I’m in favor of anything that makes it very easy to write a test. Something like just adding a simple line to a file, but with options for doing advanced stuff like POST data, cookies and custom headers. I personally hate writing correct JSON (that trailing comma…) or XML. But I find YAML pretty nice for this case. Cheers! WH On 22 Feb 2016, at 21:47, Chaim Sanders <csand...@trustwave.com<mailto:csand...@trustwave.com>> wrote: You’ll note that I have a ticket for updating the regression tests. I think that this is something that we should look into more. Potentially, a framework that leverages Python’s Requests Library? My strong preference is towards python in these types of things, I might be convinced into using bash curl. Perl need not apply :-P thoughts? On 2/22/16, 3:03 PM, "Christian Folini" <christian.fol...@netnea.com<mailto:christian.fol...@netnea.com>> wrote: On Mon, Feb 22, 2016 at 07:57:50PM +0000, Chaim Sanders wrote: Actually I¹m really shocked about this. But this is why we have a community :). We desperately need QA for the core rules. Alternatively, we could also get hold of Walter and dump his brain into an analysis engine. His familiarity with all the individual rules is most exceptional. Christian -- Croyez ceux qui cherchent la vérité, doutez de ceux qui la trouvent. -- André Gide ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set<http://scanmail.trustwave.com/?c=4062&d=kc_Q1oM1YR_rcMW4t6crL9CqZTsho19pU58WBOZf2Q&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set> -- Walter Hop | PGP key: https://lifeforms.nl/pgp<http://scanmail.trustwave.com/?c=4062&d=kc_Q1oM1YR_rcMW4t6crL9CqZTsho19pU50VDeAO1g&s=5&u=https%3a%2f%2flifeforms%2enl%2fpgp> ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
