Penetration Testing mailing list archives
Re: Any special tool for testing a web chat application?
From: Barry Archer <archerba () gmail com>
Date: Thu, 5 Feb 2009 21:09:59 -0600
Rogan, Yes, exactly - I do want to be able to intercept the AJAXy traffic. Thanks for the BeanShell suggestion and ScriptManager info. That's looking like it will do what I want nicely. BTW, I've been asked to test a vendor supplied web-based chat application. I can tune our web application scanning tool to skip most of the general tests, but it still seems like a hammer when I also needed a pair of pliers... Thanks! Barry On Thu, Feb 5, 2009 at 6:24 AM, Rogan Dawes <lists () dawes za net> wrote:
Irene Abezgauz wrote:Barry - are there specific problems you are encountering? If you provide more information it may be easier to help. Other than that I agree with Rogan, the proxy intercepting a lot of spam is usually the biggest annoyance in applications that are alive and constantly updating. Paros also has a configurable intercept filter which you can easily use to solve that one. IreneThe big thing about the scripting is that it sounds like Barry WANTS to be able to intercept the AJAXy traffic, in order to test how the chat server behaves. BUT, you probably won't have time to manually perform your changes before the browser hits a timeout and tries to send it again, racking up a queue of intercepts, and defeating everything that you are trying to do. Using the scripting facility allows you to automate the changes that you want to make, so that they happen "instantly", rather than taking however long you take to manually make your changes. Granted, writing the scripts to make your desired changes is not going to be as quick as making a single manual change, but it makes reviewing AJAXy apps a lot more feasible. By the way, if you use the ScriptManager interface in WebScarab, you get access to the BSF object store via bsf.lookupBean(), which you can use to maintain state in your scripts. e.g. if you only want to make a specific change once, to the next request that goes through, and none after that. See <http://www.owasp.org/index.php/Scripting_in_WebScarab> and <http://marc.info/?l=owasp-webscarab&m=114562647419874&w=2> Rogan
Current thread:
- Any special tool for testing a web chat application? Barry Archer (Feb 05)
- Re: Any special tool for testing a web chat application? Rogan Dawes (Feb 05)
- Message not available
- Message not available
- Re: Any special tool for testing a web chat application? Rogan Dawes (Feb 05)
- Re: Any special tool for testing a web chat application? Barry Archer (Feb 10)
- Message not available
- Re: Any special tool for testing a web chat application? Rogan Dawes (Feb 05)