Walter, This is nice. I have tested many http checkers through the years, but somehow they all sucked. Your choice of YAML looks valid to me, I might give it a go next week or so.
A few feature-related questions : - It says it has the ability to consume cookies. Can you delete them as well? - Can you load data from an external file (passwords spring to mind)? - Can I extract a token from a page and use it on a subsequent request? - What is the behaviour with multiple http request headers of the same name? - Can you control the order of http headers? - It follows redirects. But I can't check for the redirect status code? - I can't test for the content of a http response header, can I? - Can I test for status code _and_ content? Sorry if this is just nitpicking. I know these are advanced features, but they are the reason I come back to ugly shell/curl hacks after a week with any http checker. Ahoj, Christian On Fri, Feb 26, 2016 at 10:47:40PM +0100, Walter Hop wrote: > I use a little home-built thing to do these kinds of regression tests on our > own web services. It walks through a YAML file with tests: > https://github.com/lifeforms/httpcheck > > I started to write tests for CRSv3, but I didn’t get very far, because I got > stuck on the PHP rules issue. Here is the start of my httpcheck manifest with > some SQLi tests: http://lf.ms/crsv3.yaml > I just do 'httpcheck -i crsv3.yaml -u http://localhost/' to run them on a > server. > > It’s in Go though, because I wanted to test lots of servers concurrently and > I wanted it to be fast, so it was a good excuse to try Go. Maybe it’s even a > good excuse to learn about its C bindings with libmodsecurity in the future :) > > Ultimately it could be any tool, I’m not really familiar with the Python > world, but I’m in favor of anything that makes it very easy to write a test. > Something like just adding a simple line to a file, but with options for > doing advanced stuff like POST data, cookies and custom headers. I personally > hate writing correct JSON (that trailing comma…) or XML. But I find YAML > pretty nice for this case. > > Cheers! > WH > > > On 22 Feb 2016, at 21:47, Chaim Sanders <csand...@trustwave.com> wrote: > > > > You’ll note that I have a ticket for updating the regression tests. I > > think that this is something that we should look into more. Potentially, a > > framework that leverages Python’s Requests Library? My strong preference > > is towards python in these types of things, I might be convinced into > > using bash curl. Perl need not apply :-P thoughts? > > > > On 2/22/16, 3:03 PM, "Christian Folini" <christian.fol...@netnea.com> > > wrote: > > > >> On Mon, Feb 22, 2016 at 07:57:50PM +0000, Chaim Sanders wrote: > >>> Actually I¹m really shocked about this. But this is why we have a > >>> community :). > >> > >> We desperately need QA for the core rules. > >> > >> Alternatively, we could also get hold of Walter and dump his > >> brain into an analysis engine. His familiarity with all the > >> individual rules is most exceptional. > >> > >> Christian > >> > >> > >> -- > >> Croyez ceux qui cherchent la vérité, doutez de ceux qui la trouvent. > >> -- André Gide > > > > > > ________________________________ > > > > This transmission may contain information that is privileged, confidential, > > and/or exempt from disclosure under applicable law. If you are not the > > intended recipient, you are hereby notified that any disclosure, copying, > > distribution, or use of the information contained herein (including any > > reliance thereon) is strictly prohibited. If you received this transmission > > in error, please immediately contact the sender and destroy the material in > > its entirety, whether in electronic or hard copy format. > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > -- > Walter Hop | PGP key: https://lifeforms.nl/pgp > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- mailto:christian.fol...@netnea.com http://www.christian-folini.ch twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
