One of the tasks I have at work is security testing. Watir makes a great tool for security testing of web apps. There are several reasons for this:
- Many of the common security vulnerabilities related to web applications (SQL Injection, cross-site scripting, buffer overflow) have to do with simply posting different types of information to a web server via a client. This is pretty much what Watir is all about. It even gives you access to hidden elements, so it really is a great tool for submitting form data to a web server.
- The Ruby side of Watir, being a full-service language, has great tools for querying the database, checking audit logs and the like. Also, you can generate random data (or large datasets) to throw at a web app, or even pull the test data from a CSV file.
- There are some things you might not be able to do through Watir, but can certainly be done with Ruby. Again, this is perfect – because Watir is not really a test framework, it’s just a way to drive the Browser when you need to. So, tests which are more low-level (such as web service communication or network tests) can be run through Ruby and RSpec, or whatever actual test framework you’re using.
In short, Watir makes a terrific tool in your arsenal for web security testing.
No comments:
Post a Comment