Dear List, This is my first post here, so here goes.
I am in the process of authoring a new Test module called, Test::Security::WWW, as we have a commercial Web Application to test, so I thought this could be a good choice for CPAN (if my code is up to scratch). The goal of this new test module is to hopefully help in testing the "Top Ten", as listed on http://www.owasp.org/documentation/topten.html 1. Unvalidated Input 2. Broken Access Control 3. Broken Authentication and Session Management 4. Cross Site Scripting (XSS) Flaws 5. Buffer Overflows 6. Injection Flaws 7. Improper Error Handling 8. Insecure Storage 9. Denial of Service 10. Insecure Configuration Management I briefly discussed this idea at: http://perlmonks.org/?node_id=492932 I also wanted to pull in other vulnerability testing using the NMAP and NESSUS modules. Hopefully this new namespace will inspire other Test::Security modules as well. I have discussed the namespace with various people, namely Corion (http://perlmonks.org/?node_id=5348), but have not discussed it on the modules-authors yet. Before I post to modules-authors, I want to finish writing: 1. The scripts that would actually use this module, so I can get a feel for the right interface. I think the actual module will probably be much like Test::WWW::Mechanize, also using Test::Builder. 2. The Documentation, for the non-existing code ;-) 3. The test programs, using Test::Builder::Tester So basically, my first few questions are: Q1. Is this the right way to go, creating another Test module? Q2. Should I work with Andy Leister and extend Test::WWW::Mechanize, as I will be using some of his modules anyway Q3. Should I just create a non-testing module, that allows you to throw things at a web application? My initial answers to these questions would be: A1. Yes, as then people can create tests for their web applications, but it is also not obvious to the casual CPAN browser that this could be abused as a crackers tool. I would ask you advice on this side too. A2. This will test WWW sites , but I didn't want to limit it to just testing WWW, as you can see in the top ten, so I thought that new namespace was best. A3. I think A1 addresses this. In summary, I would like your thoughts on my proposal and whether I am going down the right track. Thanks, Gavin. -- Walking the road to enlightenment... I found a penguin and a camel on the way..... Fancy a [EMAIL PROTECTED] Just ask!!! http://perlmonks.org/?node_id=386673
