[WEB SECURITY] Repository of site URL structures?

Andres Riancho andres.riancho at gmail.com
Tue Jun 21 15:40:41 EDT 2011


On Tue, Jun 21, 2011 at 4:09 PM, Chris Weber <chris at casabasecurity.com> wrote:
> Hi Andres,
>> -----Original Message-----
>> From: Andres Riancho [mailto:andres.riancho at gmail.com]
>> Sent: Tuesday, June 21, 2011 11:59 AM
>> To: Chris Weber
>> Cc: websecurity at lists.webappsec.org
>> Subject: Re: [WEB SECURITY] Repository of site URL structures?
>> Chris,
>> On Tue, Jun 21, 2011 at 2:49 PM, Chris Weber <chris at casabasecurity.com>
>> wrote:
>> > What are you trying to do Robert?  I've been amassing a list of URIs
>> > and IRIs for testing purposes, you can check it out here:
>> >
>> > https://github.com/cweb/iri-tests/blob/master/tests.xml
>> Awesome stuff :) Quick question, how do you know what's the real expected
>> result? For example in:
> That's an important question isn't it :) Please ignore the <expected> stuff
> for now, it's in flux.  Webkit has its own idea of what's expected, so some
> of it comes from there, others of it come from  the RFCs.  But it's still
> questionable why Webkit chose it's expected results.   I'm planning to keep
> Webkit's expected result for now, and considering basing the expected result
> on the majority browser implementation, which means more testing and data
> collection first.

Cool, I'm eager to see more work done on tests.xml , it will be a
perfect thing for testing w3af's url parsing module! We already have
lots of doctests [0] but I would be really happy to integrate
tests.xml into a unit-test that reads each of the <test> , makes
url_object parse the <uri> and compares the object with <expected>

Just noticed that you might be missing the test where you have a
param:    http://www.w3af.com/foo/bar?spam;eggs=1    (eggs=1) is the

[0] https://sourceforge.net/apps/trac/w3af/browser/trunk/core/data/parsers/urlParser.py


> -Chris

Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af

More information about the websecurity mailing list