Web Security Testing with Ruby and Watir

摘要

To verify the quality of web applications today, security testing is a necessity. But how to cover it all? SQL injection, cross-site scripting, buffer overflow...and the list goes on. Automating some of this testing would be great, but where to start?rnThis paper is a case study in how McAfee decided to use Ruby/Watir to help with it's Web security testing needsrnThe Ruby language, combined with the Watir module, is a great toolset for security testing of web applications. There are three reasons for this:rn1. Many of the common security vulnerabilities related to web applications (SQL Injection, cross-site scripting, and buffer overflow) have to do with simply posting different types of information to a web server via a client. This is pretty much what Watir is all about. It even gives you access to hidden elements, so its really is a great tool for submitting form data to a web server.rn2. The Ruby side of Watir, being a full-service language, has great tools for querying the database, checking audit logs and the like. Also, you can generate random data (or large datasets) to throw at a web app, or even pull the test data from a CSV file.rn3. There are some things you might not be able to do through Watir, but can certainly be done with Ruby. Again, this is perfect - because Watir is not really a test framework, it's just a way to drive the Browser when you need to. So, tests which are more low-level (such as web service communication or network tests) can be run through Ruby and RSpec, or whatever actual test framework you're using.