Tuesday, November 22, 2011

Using Watir-WebDriver or Capybara For Web Application Vulnerability Unit Testing

Back in October, I gave a Security B-Sides presentation filled with demos showing how to construct and execute unit tests for web application security vulnerabilities.  The goal was to:
  1. Allow QA teams or developers to execute unit tests to demonstrate that a web application vulnerability remains fixed 1 day, 1 week, 1 month, or even 1 year from the date it was remediated (For example, security unit tests run as part of a continuous integration process).
  2. Provide a mechanism for security teams to demonstrate a vulnerability instance to web application stakeholders.  One that can be run by the stakeholders themselves, as many times as needed, with little or no knowledge of security testing techniques.
  3. Allow security testers to write testing tools or scripts that interact directly with the browser, eliminating many false positives occurring due to the inability to execute JavaScript or other similar browser dependent components.
The presentation slides and unit test scripts are available below.  Before trying out the unit tests, make sure you have the OWASP Broken Web Application Virtual Machine downloaded and running.  Next, install Ruby, Watir-WebDriver, RSpec, escape_utils, and Capybara.

To install everything on Windows, here's what I did:
1. Install Ruby (1.9.x) (http://rubyinstaller.org/downloads/)
2. Install Watir (http://watir.com/installation/#win)
Get an admin command prompt
gem update --system
gem install watir
gem install watir-webdriver


3. Install RSpec and escape_utils gem install rspec
gem install escape_utils


4. Install Capybara
gem install capybara

To run the test cases, use the following commands:
rspec -f d "OWASP Broken WebApps RSpec.rb"
rspec -f d "OWASP Broken WebApps Capybara.rb"

Presentation Materials:

2 comments:

Christian @xntrik Frichot said...

This is awesome Nick! Really really cool stuff. Just a quick question though, is there any reason in particular you didn't use O2? I'm assuming, perhaps, that you were keen to use tools that developers already used?

Nick Coblentz said...

Yes that's correct. I saw it being discussed and used in various software development articles, and I really enjoyed how easy it was to use in Ruby, so I chose Watir-WebDriver. I discovered Capybara later, and realized that it may have even better adoption, and added some similar examples for it.