Thanks all for your inputs and guidance. I have got lot of information now to start with. Chuck, special thanks for sharing information about those books and I did realize that one of those books author has actually replied to me post in this thread :)
Thanks, S.K On Apr 13, 11:38 pm, Chuck van der Linden <sqa...@gmail.com> wrote: > Ruby has hower some handy HTTP capabilities, so you COULD do this > testing inside your watir scripts by using direct ruby code that > interacts with the server at the HTTP Protocol level. This isn't > quite as easy as doing things via the UI and Watir (you'll need to > learn a bit about HTTP, perhaps use something like Fiddler to see what > the 'normal' requests look like in order to craft up your malformed > request.) but you'd be able to pretty much use whatever framwork you > are currently using to report results etc. > > This also has the advantage that you'd be bypassing the front end > completely and interacting with the server pretty much the same way as > would a malevelent person who is spoofing stuff trying to crash it, > since well that's exactly what YOU are trying to do.. > > The books Everyday Scripting in Ruby, and also Ruby Cookbook both have > some content that shows doing direct HTTP requests using Ruby. > > The book "Testing Code Security" is a useful reference for this and > other classes of tests (such as cross-site, injection) that anyone > doing web-testing will want to cover. > > you may encounter the authors of a few of those books in this forum > from time to time <wink wink> > > --Chuck > you can invoke: user.lead_to(knowledge) > but unfortunately : user.drink() > is a private method > > On Apr 13, 10:33 am, Maura van der Linden > > <mauravanderlin...@gmail.com> wrote: > > Watir is a browser (ie frontend) test tool - Web Application Testing in > > Ruby. Although it can be useful to see what limits are put on your input > > fields by the frontend, it's generally pretty pointless for testing of > > security issues like buffer overruns. Most attackers attempting a buffer > > overrun type of attack will spoof a post or get and bypass your actual > > frontend code completely. > > > For testing a buffer overrun, it's better to test at the API or Web Service > > level and bypass the frontend. Most issues occur when the developers expect > > the web form or frontend to protect the server from the exercise of a buffer > > overrun by limiting what can be submitted there but not validating it at the > > API or web service level where it really matters. This shows itself in > > situations where the user can only input x characters in the web form but > > the API or web service doesn't check to see what it's being handed before > > attempting to process it. The API or web servic trusts that it's being given > > correct and valid data. > > > All input is evil and all trust is misplaced. > > > - Maura > > > On 4/13/09 6:17 AM, "SushilKarwa" <sushil.ka...@gmail.com> wrote: > > > > Hi, > > > Am testing a web page for buffer overflow kind of vulnerabilities. > > > Lets say I have an item x which can be created. I provide say 1024 > > > characters through an user input text field and then save it. > > > Now I have to test that the page (actually the application server) > > > does not crashes with that long input. > > > How can I test this using watir and rspec? > > > Since I do not know how would a page be rendered or application server > > > behave if it is notable to handle that long string? > > > Any suggestion would be much appreciated. > > > > Thanks, > > > S.K > > > Maura van der Linden > > Mythos Manor, LLChttp://www.mauravanderlinden.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Watir General" group. To post to this group, send email to watir-general@googlegroups.com Before posting, please read the following guidelines: http://wiki.openqa.org/display/WTR/Support To unsubscribe from this group, send email to watir-general-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/watir-general -~----------~----~----~----~------~----~------~--~---
