Wednesday, November 30, 2011

Web Application Vulnerability Unit Testing Cheat Sheet (Capybara and Watir-WebDriver)

For an example template for Watir-WebDriver/RSpec or Capybara Test Case, start here:
For common questions with Watir-WebDriver or Capybara, look here next:
  • http://watirwebdriver.com/web-elements/ (and the "advanced interactions" items)
  • https://github.com/jnicklas/capybara
Finally, refer to the cheat sheet below for issues I came across while trying to write test case for web application vulnerabilities:

Detect and Close JavaScript Alert Boxes:
Watir-WebDriver
begin
browser.driver.switch_to.alert.accept #raises an exception if no alert is present
puts 'alert box found'
rescue
puts 'alert box not found'
end

Capybara:
page.driver.browser.switch_to.alert.accept

Perform Arbitrary HTTP POST Requests:
Watir-WebDriver
#POST http://owaspbwa/vicnum/vicnum5.php
#player=<script>alert(1)</script>
require 'tempfile'
require 'escape_utils'
require 'watir-webdriver'
target='http://owaspbwa/vicnum/vicnum5.php' #the attack target
post='player=<script>alert(1)</script>' #the POST data to send to the target
postdata=Array.new
post.split('&').each do |name_value|
postdata.push(name_value.split('='))
end
#Create an HTML form to submit the POST request
html="<html><head></head><body>\r\n"
html+='<form name="WATIR_AUTO_FORM" method="post" action="'+target+'">'+"\r\n"
postdata.each do |pair|
if(pair.count > 0 && pair[0] && !pair[0].empty?)
html+='<input type="hidden" name="'+pair[0]+'" value="'
if(pair.count > 1 && pair[1])
html+=pair[1]
end
html+='" />'+"\r\n"
end
end
html+='</form><script>document.forms["WATIR_AUTO_FORM"].submit();</script></body></html>'
#save the HTML content to a file.
f=Tempfile.new('test.html')
f.puts(html)
location='file://'+f.path
print location+"\r\n"
f.close
browser = Watir::Browser.new
#View the generate HTML page
browser.goto location
begin
browser.driver.switch_to.alert.accept #throws an error if no alert is present
puts "XSS alert box was displayed!"
rescue
puts "Failed!"
end
view raw Arbitrary HTTP POST with Watir-WebDriver.rb hosted with ❤ by GitHub


Send Keyboard Commands:
Watir-WebDriver
browser.text_field(:name,/login/i).send_keys(:arrow_down)

Capybara:
page.find_field('login').native.send_keys(:arrow_down)

Search For Text/HTML Within a Nested Frame:
Watir-WebDriver

def each_frame(frames,&block)
frames.each do |f|
yield f
each_frame(f.frames,&block)
end
end
status = browser.html.include?(match)
each_frame(browser.frames) do |f|
break if(status=status || f.html.include?(match))
end
view raw gistfile1.rb hosted with ❤ by GitHub

Returning Content From Javascript:
Watir-WebDriver
browser.execute_script(‘return “asdf”’) #=> returns “asdf” to ruby

Include JQuery: Watir-WebDriver browser.execute_script(%q| var el = document.createElement("script"); el.setAttribute("src","http://code.jquery.com/jquery-1.6.4.min.js"); document.body.appendChild(el);|)

Return HTTP Headers:
Watir-WebDriver

url='http://www.google.com'
browser.goto(url)
browser.execute_script(%q|var el = document.createElement("script");el.setAttribute("src","http://code.jquery.com/jquery-1.6.4.min.js");document.body.appendChild(el);|)
browser.execute_script(%q|var geturl = $.ajax({type: GET,url: '|+url+%q|',complete: function () {$('body').data('httpheaders_complete',true);},success: function (data,status,xhr) {$('body').data('httpheaders',geturl.getAllResponseHeaders());$('body').data('content',data);}});|)
browser.wait_until { browser.execute_script(%q|return $('body').data('httpheaders_complete');|) }
browser.execute_script(%q|return $('body').data('httpheaders');|)
view raw gistfile1.rb hosted with ❤ by GitHub


Posted by at No comments:
Labels:

Tuesday, November 22, 2011

Using Watir-WebDriver or Capybara For Web Application Vulnerability Unit Testing

Back in October, I gave a Security B-Sides presentation filled with demos showing how to construct and execute unit tests for web application security vulnerabilities.  The goal was to:
  1. Allow QA teams or developers to execute unit tests to demonstrate that a web application vulnerability remains fixed 1 day, 1 week, 1 month, or even 1 year from the date it was remediated (For example, security unit tests run as part of a continuous integration process).
  2. Provide a mechanism for security teams to demonstrate a vulnerability instance to web application stakeholders.  One that can be run by the stakeholders themselves, as many times as needed, with little or no knowledge of security testing techniques.
  3. Allow security testers to write testing tools or scripts that interact directly with the browser, eliminating many false positives occurring due to the inability to execute JavaScript or other similar browser dependent components.
The presentation slides and unit test scripts are available below.  Before trying out the unit tests, make sure you have the OWASP Broken Web Application Virtual Machine downloaded and running.  Next, install Ruby, Watir-WebDriver, RSpec, escape_utils, and Capybara.

To install everything on Windows, here's what I did:
1. Install Ruby (1.9.x) (http://rubyinstaller.org/downloads/)
2. Install Watir (http://watir.com/installation/#win)
Get an admin command prompt
gem update --system
gem install watir
gem install watir-webdriver

3. Install RSpec and escape_utils gem install rspec
gem install escape_utils

4. Install Capybara
gem install capybara

To run the test cases, use the following commands:
rspec -f d "OWASP Broken WebApps RSpec.rb"
rspec -f d "OWASP Broken WebApps Capybara.rb"

Presentation Materials:

Posted by at 2 comments:
Labels: ,
Subscribe to: Posts (Atom)