Taras, On Thu, Jun 28, 2012 at 4:01 PM, Taras <ox...@oxdef.info> wrote: > Andres, I haven't read this paper yet but I'll try to answer on your > questions. I currently make experiments with pair PhantomJS/CasperJS > which give you opportunity to make almost all things as you can do if you > have injected JS script into target web app plus some other useful > things like page capturing. > > >>> This might be an interesting read for your ajax research: >>> >>> http://blog.watchfire.com/wfblog/2012/06/automated-blackbox-crawling-the-next-generation.html >> >> >>> >> After reading this paper, I came up with a requirement list for our >> RIA crawling engine, the algorithm we implement afterwards is >> independent from the requirements; but with these it should be >> possible to do almost anything: >> >> * Load an URL > > Yes, it can > >> * All HTTP traffic from the automated browser should go through an >> HTTP proxy we define > > Yes, it can and I have already implemented it in web20Spider.py
Will review and send comments when you tell me "Please review" :) >> * For each state in which the automated browser is in, be able to >> return a list with all the custom events available (ie. if there is >> a tag with<div onmouseover="..." this should return something like >> [( <div object at 0x...>, 'onmouseover')] ) > > I'm not sure about it. Such thing even difficult with FireBug as I know. If we don't have that, how can we know which events to trigger? >> * Send an event, for example (<div object at 0x...>, 'onmouseover'), >> to the current DOM > > Yes, it can How do you know which events to send to which tag? >> * We need to be able to store events like (<div object at 0x...>, >> 'onmouseover') in order to store a path and replay it if wanted > > Currently I store not events paths but CSS selectors of interesting > objects like links and images. But it's discussable. Hmm... what if there is an onmouseover="..." in a div tag? How are we going to trigger that JS code? >> * Ability to tell if the latest event that was sent by us caused a >> full DOM reload or not >> * Dump current DOM (with all JS and external >> resources) to a string. Useful for comparing two states and restoring >> a state * Load a stored DOM into the automated browser instance. This >> restores a saved state. > > Capturing/hashing I would say: "pickling" instead of hashing here > of DOM is a good idea. And I also thought about it and > about comparing states based on it. Currently I don't know if it is possible > with PhantomJS but I'll try to find it out. If it possible having injected > JS then it possible for us. For the first step I've decided to start with > simple model when state identified with URL. I know that there are web apps > which changes states without changed URL (please, look on spider.js [0]). > But I repeat...it is first step and PoC :) Sure, we always need to take a first step, and usually it's not the best thing we can do; but it is better than not taking it :) The only point we need to take into account is that maybe we could work a lot phantomjs and then in 6 months have to throw it away because it doesn't provide us with the basic features we need > >> * (optional) Take screenshot of current page > > Yes, it can. Some time ago with PhantomJS I have made PDF version of > my slides in HTML/JS format :) > > >> @all: Any other thing you can think of? > > Let me read for the first this article :) I also recommend to read > "Invariant-Based Automatic Testing of Modern Web Applications" by Ali > Mesbah, Arie van Deursen and and Danny Roest [1] I'll read that, thanks, > [0] > http://w3af.svn.sourceforge.net/viewvc/w3af/branches/webapps/plugins/discovery/web20Spider/spider.js?revision=5281&view=markup > [1] "Invariant-Based Automatic Testing of Modern Web Applications" > by Ali Mesbah, Arie van Deursen and and Danny Roest, > http://www.ece.ubc.ca/~amesbah/docs/tse11.pdf > > -- > Taras > http://oxdef.info -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
