[wtr-general] Re: Posting invalid form data with Watir
Found a solution ie.text_field(itemtype,itemname).value=text works just fine. Also use the same technique to select options (choice) in a combo where that value may not already exist s = ie.select_list(itemtype,itemname) texts = s.getAllContents if (texts==[]) fail This function requires the list to contain at least one value already end o = s.option(:text,texts[0]) o.setvalue(choice) s.select_value(choice) Next will be unselecting all the radios ..., submitting forms with fields not on the form, or without pressing any or the known submit buttons. These tests are intended to ensure the Server also validates inputs and does not leave it to the Webpage. If you dont understand why this testing is important google OWASP, it is a serios threat to many systems. And users can do this using easily downloadable tools like Firefox's tamperdata. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Watir General group. To post to this group, send email to watir-general@googlegroups.com Before posting, please read the following guidelines: http://wiki.openqa.org/display/WTR/Support To unsubscribe from this group, send email to watir-general-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/watir-general -~--~~~~--~~--~--~---
[wtr-general] Re: Posting invalid form data with Watir
You should be able to use JavaScript to make these things.
For example, I have this select list on my page:
select name=menu
option value=0 selected0/option
option value=1one/option
/select
Now, in Watir I could do something like this with JavaScript:
script = %q {
opt=document.createElement('option');
opt.text='malicious';
opt.value='666';
list=document.getElementsByName('menu')[0];
list.add(opt);
}
$browser.ie.document.parentWindow.execScript(script)
$browser.select_list(:name, menu).select malicious
$browser.form(:index, 1).submit
This only works with IE though.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
Watir General group.
To post to this group, send email to watir-general@googlegroups.com
Before posting, please read the following guidelines:
http://wiki.openqa.org/display/WTR/Support
To unsubscribe from this group, send email to
watir-general-unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/watir-general
-~--~~~~--~~--~--~---
[wtr-general] Re: Posting invalid form data with Watir
On Apr 12, 2:49 pm, Jarmo Pertman jarm...@gmail.com wrote:
script = %q {
Sorry, I had one extra space in here - %q {... Correct would be %q
{ (so, there's no space after %q)
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
Watir General group.
To post to this group, send email to watir-general@googlegroups.com
Before posting, please read the following guidelines:
http://wiki.openqa.org/display/WTR/Support
To unsubscribe from this group, send email to
watir-general-unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/watir-general
-~--~~~~--~~--~--~---
[wtr-general] Re: Posting invalid form data with Watir
not sure there is an easy way around this with Watir itself, since it's designed to drive the browser like a user would. Seems like for this kind of spoofing, where you are sending something that the browser won't normally allow, there are a couple of options. you already talked about using something to handcraft the requests, and I presume you know about saving a page locally, modifying it and then running it to submit invalid requests. You could also use a protocol level tool like Fiddler2 to capture the traffic, then modify and replay the request.. which is faster and easier and really good for quick off the cuff tests, but not really what you are looking for.. So I think what you'd want to do is look into protocol level scripting, which can be done with Ruby (or python and I think perl). The book 'Everyday Scripting with Ruby') has an example of creating a class to send a HTTP post request on page 151 (I just pulled down my copy and looked it up in the index).. The O'Reilly Ruby Cookbook also has a few pages worth of stuff dealing with HTTP as well. What would be nice of course (and I've no idea if this is possible) would be to have a way to direct the response from the request into a browser session, so you could use watir to evaluate how the server responded to the invalid data, but I expect you're likely to have to parse through it manually. On Apr 8, 5:40 pm, Paul Denize paul.den...@datacom.co.nz wrote: In previous versions of watir I used to send 11 characters to a field that had a maxlimit of 10. This would ensure the server also checked the parameter and did something sensible (truncate or error message). The newer version seems a bit safer and ie.text_field (:index,1).set (01234567890) just truncates the input to the maxlength. Ok I accept that and found I could use ie.text_field (:index, 1).value=01234567890 in the instances where I wanted to do the server side validation. NOW THE PROBLEM How do I do that for a combo box? I want to send a value that is not in the list of options. One way might be to add the item and then send it (sorta the same thing I guess). In any case the server should again check and handle this. And I bet the next question I ask will be around Radios and Checkboxes? Setting/sending invalid values. BACKGROUND For those unfamiliar with OWASP threats (google that) and see that this is amongst the most common vulnerabilities in security. You cannot assume the web browser will safeguard inputs. In fact till now we have manually used Firefox and Tamperdata to do this. But the task is very difficult and time consuming - So I want to automate these tests too. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Watir General group. To post to this group, send email to watir-general@googlegroups.com Before posting, please read the following guidelines: http://wiki.openqa.org/display/WTR/Support To unsubscribe from this group, send email to watir-general-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/watir-general -~--~~~~--~~--~--~---
