[wtr-general] Re: Testing for Buffer Overflows
Thanks all for your inputs and guidance. I have got lot of information now to start with. Chuck, special thanks for sharing information about those books and I did realize that one of those books author has actually replied to me post in this thread :) Thanks, S.K On Apr 13, 11:38 pm, Chuck van der Linden wrote: > Ruby has hower some handy HTTP capabilities, so you COULD do this > testing inside your watir scripts by using direct ruby code that > interacts with the server at the HTTP Protocol level. This isn't > quite as easy as doing things via the UI and Watir (you'll need to > learn a bit about HTTP, perhaps use something like Fiddler to see what > the 'normal' requests look like in order to craft up your malformed > request.) but you'd be able to pretty much use whatever framwork you > are currently using to report results etc. > > This also has the advantage that you'd be bypassing the front end > completely and interacting with the server pretty much the same way as > would a malevelent person who is spoofing stuff trying to crash it, > since well that's exactly what YOU are trying to do.. > > The books Everyday Scripting in Ruby, and also Ruby Cookbook both have > some content that shows doing direct HTTP requests using Ruby. > > The book "Testing Code Security" is a useful reference for this and > other classes of tests (such as cross-site, injection) that anyone > doing web-testing will want to cover. > > you may encounter the authors of a few of those books in this forum > from time to time > > --Chuck > you can invoke: user.lead_to(knowledge) > but unfortunately : user.drink() > is a private method > > On Apr 13, 10:33 am, Maura van der Linden > > wrote: > > Watir is a browser (ie frontend) test tool - Web Application Testing in > > Ruby. Although it can be useful to see what limits are put on your input > > fields by the frontend, it's generally pretty pointless for testing of > > security issues like buffer overruns. Most attackers attempting a buffer > > overrun type of attack will spoof a post or get and bypass your actual > > frontend code completely. > > > For testing a buffer overrun, it's better to test at the API or Web Service > > level and bypass the frontend. Most issues occur when the developers expect > > the web form or frontend to protect the server from the exercise of a buffer > > overrun by limiting what can be submitted there but not validating it at the > > API or web service level where it really matters. This shows itself in > > situations where the user can only input x characters in the web form but > > the API or web service doesn't check to see what it's being handed before > > attempting to process it. The API or web servic trusts that it's being given > > correct and valid data. > > > All input is evil and all trust is misplaced. > > > - Maura > > > On 4/13/09 6:17 AM, "SushilKarwa" wrote: > > > > Hi, > > > Am testing a web page for buffer overflow kind of vulnerabilities. > > > Lets say I have an item x which can be created. I provide say 1024 > > > characters through an user input text field and then save it. > > > Now I have to test that the page (actually the application server) > > > does not crashes with that long input. > > > How can I test this using watir and rspec? > > > Since I do not know how would a page be rendered or application server > > > behave if it is notable to handle that long string? > > > Any suggestion would be much appreciated. > > > > Thanks, > > > S.K > > > Maura van der Linden > > Mythos Manor, LLChttp://www.mauravanderlinden.com --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Watir General" group. To post to this group, send email to watir-general@googlegroups.com Before posting, please read the following guidelines: http://wiki.openqa.org/display/WTR/Support To unsubscribe from this group, send email to watir-general-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/watir-general -~--~~~~--~~--~--~---
[wtr-general] Re: Testing for Buffer Overflows
Ruby has hower some handy HTTP capabilities, so you COULD do this testing inside your watir scripts by using direct ruby code that interacts with the server at the HTTP Protocol level. This isn't quite as easy as doing things via the UI and Watir (you'll need to learn a bit about HTTP, perhaps use something like Fiddler to see what the 'normal' requests look like in order to craft up your malformed request.) but you'd be able to pretty much use whatever framwork you are currently using to report results etc. This also has the advantage that you'd be bypassing the front end completely and interacting with the server pretty much the same way as would a malevelent person who is spoofing stuff trying to crash it, since well that's exactly what YOU are trying to do.. The books Everyday Scripting in Ruby, and also Ruby Cookbook both have some content that shows doing direct HTTP requests using Ruby. The book "Testing Code Security" is a useful reference for this and other classes of tests (such as cross-site, injection) that anyone doing web-testing will want to cover. you may encounter the authors of a few of those books in this forum from time to time --Chuck you can invoke: user.lead_to(knowledge) but unfortunately : user.drink() is a private method On Apr 13, 10:33 am, Maura van der Linden wrote: > Watir is a browser (ie frontend) test tool - Web Application Testing in > Ruby. Although it can be useful to see what limits are put on your input > fields by the frontend, it's generally pretty pointless for testing of > security issues like buffer overruns. Most attackers attempting a buffer > overrun type of attack will spoof a post or get and bypass your actual > frontend code completely. > > For testing a buffer overrun, it's better to test at the API or Web Service > level and bypass the frontend. Most issues occur when the developers expect > the web form or frontend to protect the server from the exercise of a buffer > overrun by limiting what can be submitted there but not validating it at the > API or web service level where it really matters. This shows itself in > situations where the user can only input x characters in the web form but > the API or web service doesn't check to see what it's being handed before > attempting to process it. The API or web servic trusts that it's being given > correct and valid data. > > All input is evil and all trust is misplaced. > > - Maura > > On 4/13/09 6:17 AM, "SushilKarwa" wrote: > > > > > Hi, > > Am testing a web page for buffer overflow kind of vulnerabilities. > > Lets say I have an item x which can be created. I provide say 1024 > > characters through an user input text field and then save it. > > Now I have to test that the page (actually the application server) > > does not crashes with that long input. > > How can I test this using watir and rspec? > > Since I do not know how would a page be rendered or application server > > behave if it is notable to handle that long string? > > Any suggestion would be much appreciated. > > > Thanks, > > S.K > > Maura van der Linden > Mythos Manor, LLChttp://www.mauravanderlinden.com --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Watir General" group. To post to this group, send email to watir-general@googlegroups.com Before posting, please read the following guidelines: http://wiki.openqa.org/display/WTR/Support To unsubscribe from this group, send email to watir-general-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/watir-general -~--~~~~--~~--~--~---
[wtr-general] Re: Testing for Buffer Overflows
Watir is a browser (ie frontend) test tool - Web Application Testing in Ruby. Although it can be useful to see what limits are put on your input fields by the frontend, it's generally pretty pointless for testing of security issues like buffer overruns. Most attackers attempting a buffer overrun type of attack will spoof a post or get and bypass your actual frontend code completely. For testing a buffer overrun, it's better to test at the API or Web Service level and bypass the frontend. Most issues occur when the developers expect the web form or frontend to protect the server from the exercise of a buffer overrun by limiting what can be submitted there but not validating it at the API or web service level where it really matters. This shows itself in situations where the user can only input x characters in the web form but the API or web service doesn't check to see what it's being handed before attempting to process it. The API or web servic trusts that it's being given correct and valid data. All input is evil and all trust is misplaced. - Maura On 4/13/09 6:17 AM, "SushilKarwa" wrote: > > Hi, >Am testing a web page for buffer overflow kind of vulnerabilities. > Lets say I have an item x which can be created. I provide say 1024 > characters through an user input text field and then save it. > Now I have to test that the page (actually the application server) > does not crashes with that long input. > How can I test this using watir and rspec? > Since I do not know how would a page be rendered or application server > behave if it is notable to handle that long string? > Any suggestion would be much appreciated. > > Thanks, > S.K > > Maura van der Linden Mythos Manor, LLC http://www.mauravanderlinden.com --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Watir General" group. To post to this group, send email to watir-general@googlegroups.com Before posting, please read the following guidelines: http://wiki.openqa.org/display/WTR/Support To unsubscribe from this group, send email to watir-general-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/watir-general -~--~~~~--~~--~--~---
[wtr-general] Re: Testing for Buffer Overflows
if you are testing whether the application server crashes, then that has nothing to do with Watir. On the Watir end you can test whether the UI allows that many characters to be input. You can use Ruby to access your backend where your application server exists and check whether certain ports are running or grep the log for the time and exception you are expecting??? On Apr 13, 9:17 am, SushilKarwa wrote: > Hi, > Am testing a web page for buffer overflow kind of vulnerabilities. > Lets say I have an item x which can be created. I provide say 1024 > characters through an user input text field and then save it. > Now I have to test that the page (actually the application server) > does not crashes with that long input. > How can I test this using watir and rspec? > Since I do not know how would a page be rendered or application server > behave if it is notable to handle that long string? > Any suggestion would be much appreciated. > > Thanks, > S.K --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Watir General" group. To post to this group, send email to watir-general@googlegroups.com Before posting, please read the following guidelines: http://wiki.openqa.org/display/WTR/Support To unsubscribe from this group, send email to watir-general-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/watir-general -~--~~~~--~~--~--~---
