Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation LASCON 2010 Austin, Tx Automating Web Testing Beyond OWASP WebScarab Using Python Brad Causey OWASP Guy IISFA Guy
LASCON About Brad Survivalist MMA Local Cop Gun Enthusiast Married with 5 Kids
LASCON About Brad Instructor for 8 years Various Publications Books BBVA Compass Security Analyst Training videos OWASP GPC OWASP Alabama Chapter Lead IISFA Alabama Chapter Lead
LASCON Why are we here? Have the need to Automate tests Some of these are difficult Adapt to the app WebScarab and Python are pretty popular
LASCON Why WebScarab? Open Source Scriptable Uses text to store data Cross-Platform Browser Agnostic
LASCON WS Configuration and Special Notes Saved Session Structure Scripting WebScarab import org.owasp.webscarab.model.HttpUrl; import org.owasp.webscarab.model.Request; import org.owasp.webscarab.model.Response;
LASCON WS Advanced Features Search Extensions Session ID Analysis XSS Tagging
LASCON WS Weaknesses AJAX Performance Output Format Reporting
LASCON Why Python? Open Source Interpreter Plain Text Great Support Cross-Platform Text Processing
LASCON A Python Primer very clear, readable syntax strong introspection capabilities intuitive object orientation natural expression of procedural code exception-based error handling very high level dynamic data types extensive standard libraries embeddable within applications as a scripting interface
LASCON Useful Python Libraries string Built-in Library .find .index .count
LASCON Useful Python Libraries urllib2 Built-in Library .urlopen Encoding Data (for request)
LASCON Gluing the two together WebScarab Files Python File Reader WebScarab Storage in-depth
LASCON Possibilities are endless! Http Methods testing Post/Get fuzzing Cookies? Yes! import cookielib, urllib2
LASCON Demo! jpg?rand=2487A2F8-E22A-95A8- 2C5A303E3847C9A2
LASCON The Norris convention center?