- Allow QA teams or developers to execute unit tests to demonstrate that a web application vulnerability remains fixed 1 day, 1 week, 1 month, or even 1 year from the date it was remediated (For example, security unit tests run as part of a continuous integration process).
- Provide a mechanism for security teams to demonstrate a vulnerability instance to web application stakeholders. One that can be run by the stakeholders themselves, as many times as needed, with little or no knowledge of security testing techniques.
- Allow security testers to write testing tools or scripts that interact directly with the browser, eliminating many false positives occurring due to the inability to execute JavaScript or other similar browser dependent components.
To install everything on Windows, here's what I did:
1. Install Ruby (1.9.x) (http://rubyinstaller.org/downloads/)
2. Install Watir (http://watir.com/installation/#win)
Get an admin command prompt
gem update --system
gem install watir
gem install watir-webdriver3. Install RSpec and escape_utils
gem install rspec
gem install escape_utils4. Install Capybara
gem install capybaraTo run the test cases, use the following commands:
rspec -f d "OWASP Broken WebApps RSpec.rb"rspec -f d "OWASP Broken WebApps Capybara.rb"Presentation Materials:
- Using Watir & Ruby for Web Application Vulnerability Unit Testing
- OWASP Broken WebApps Capybara.rb
- OWASP Broken WebApps RSpec.rb
Posts
2 comments:
This is awesome Nick! Really really cool stuff. Just a quick question though, is there any reason in particular you didn't use O2? I'm assuming, perhaps, that you were keen to use tools that developers already used?
Yes that's correct. I saw it being discussed and used in various software development articles, and I really enjoyed how easy it was to use in Ruby, so I chose Watir-WebDriver. I discovered Capybara later, and realized that it may have even better adoption, and added some similar examples for it.
Post a Comment