[WEB SECURITY] Scripting Question

Hoffman, Billy billy.hoffman at hp.com
Wed May 14 12:05:38 EDT 2008


Hmmm.

I've always followed the approach mangleme.cgi took. Use some server-side code to generate/load what you want to test and use a META refresh tag to move to the next test. While testing various XSS vectors, I had some JavaScript which would phone home to let me know when it worked.

For richer UI interaction, Shreeraj has a good paper demonstrating ruby + water to automate client-side stuff
http://www.infosecwriters.com/text_resources/pdf/Crawling_AJAX_SShah.pdf

hope that helps,
Billy Hoffman

-----Original Message-----
From: Dark Con [mailto:d4rkcon at gmail.com]
Sent: Wednesday, May 14, 2008 10:11 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] Scripting Question

This question might be a little offtopic for this list, so please let
me know if I should direct it elsewhere.

I'm looking for a way to automate some client-side exploit testing. I
want to write a script that loads web pages automatically in a real
web browser. I realize that there are multiple other kludges that
might do something similar (setting up the RefreshEvery Firefox
extension for one), but the goal is to expand this to some other
things, as well.

What I'm really looking for is a way to code UI interaction (or some
libraries that might help with that). I've found some easy ways to do
it in OSX (Automator makes things like this really simple), but was
wondering if anyone on the list has ever done anything like this
before and might be able to point me to any articles/books about the
topic, or recommend which languages might have the best facilities for
a project like this.

Thanks.
-DC

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list