Being new to testing and ruby, are there "standard" tests that can be done that test for things like cross site scripting and friends? If not, anyone have ideas on what I might do about testing those sorts of things? I''ll be using rails, also. Mike B. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
i have a plugin called "dumbass". It just greps through your views and looks for things like <%= user.name %> which should be <%=h user.name %> The name comes from the word I called myself when I found I''d forgotten to do that over and over in one app. script/plugin install svn://caboo.se/plugins/court3nay/dumbass run it with rake dumbass I''m eager to find other simple ways of detecting vulnerabilities. I actually have another plugin/script (spider_test) which is a rails integration test; it spiders over your whole app looking for errors. One of its features is to randomly fill in your forms (a weak form of fuzzing). I would really like to expand that so that it pushes sql injection and XSS and other types of security issues. Is that what you meant? On 6/18/07, barsalou <barjunk at attglobal.net> wrote:> Being new to testing and ruby, are there "standard" tests that can be > done that test for things like cross site scripting and friends? > > If not, anyone have ideas on what I might do about testing those sorts > of things? > > I''ll be using rails, also. > > Mike B. > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > _______________________________________________ > rspec-users mailing list > rspec-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/rspec-users >
On 6/19/07, barsalou <barjunk at attglobal.net> wrote:> Being new to testing and ruby, are there "standard" tests that can be > done that test for things like cross site scripting and friends? >I suppose you mean http://en.wikipedia.org/wiki/Cross-site_scripting (XSS) XSS happens *in* the browser, where Ruby doesn''t run (yet), so I''m not sure how you think RSpec is relevant. Unless you want to use Watir or Selenium-RC, which allows you to talk to a browser from Ruby (and RSpec)> If not, anyone have ideas on what I might do about testing those sorts > of things? >Can you be more specific about what you want to verify? Aslak> I''ll be using rails, also. > > Mike B. > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > _______________________________________________ > rspec-users mailing list > rspec-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/rspec-users >
On 6/18/07, aslak hellesoy <aslak.hellesoy at gmail.com> wrote:> On 6/19/07, barsalou <barjunk at attglobal.net> wrote: > > Being new to testing and ruby, are there "standard" tests that can be > > done that test for things like cross site scripting and friends? > > > > I suppose you mean http://en.wikipedia.org/wiki/Cross-site_scripting (XSS) > > XSS happens *in* the browser, where Ruby doesn''t run (yet), so I''m not > sure how you think RSpec is relevant. Unless you want to use Watir or > Selenium-RC, which allows you to talk to a browser from Ruby (and > RSpec)I''d say they want to assert, in the views, that user-generated input does not render script tags. Like if I set my user info to be <script>alert(''cookie!'');</script> it should appear in the view as <script>alert and so on. Maybe in the view spec @user.stub!(:info).and_return(''<script>foo</script>'') response.should not_have_tag(''script'') Right?
On 6/19/07, Courtenay <court3nay at gmail.com> wrote:> On 6/18/07, aslak hellesoy <aslak.hellesoy at gmail.com> wrote: > > On 6/19/07, barsalou <barjunk at attglobal.net> wrote: > > > Being new to testing and ruby, are there "standard" tests that can be > > > done that test for things like cross site scripting and friends? > > > > > > > I suppose you mean http://en.wikipedia.org/wiki/Cross-site_scripting (XSS) > > > > XSS happens *in* the browser, where Ruby doesn''t run (yet), so I''m not > > sure how you think RSpec is relevant. Unless you want to use Watir or > > Selenium-RC, which allows you to talk to a browser from Ruby (and > > RSpec) > > I''d say they want to assert, in the views, that user-generated input > does not render script tags. > > Like if I set my user info to be <script>alert(''cookie!'');</script> it > should appear in the view as <script>alert and so on. > > Maybe in the view spec > > @user.stub!(:info).and_return(''<script>foo</script>'') > response.should not_have_tag(''script'') >Oh I see. Your example sounds like a good way to prevent against it. Aslak> Right? > _______________________________________________ > rspec-users mailing list > rspec-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/rspec-users >
Responding to: From court3nay at gmail.com Mon Jun 18 20:23:37 2007 From: court3nay at gmail.com (Courtenay) Date: Mon, 18 Jun 2007 17:23:37 -0700 Subject: [rspec-users] Testing for cross site scripting, etc. In-Reply-To: <8d961d900706181656i2354ae21l4c2ebbf8f5a5d6a8 at mail.gmail.com> References: <20070618140657.8bokw24dssko8gko at lcgalaska.com> <8d961d900706181656i2354ae21l4c2ebbf8f5a5d6a8 at mail.gmail.com> Message-ID: <4b430c8f0706181723o3ae007a7nc96a705480538e3c at mail.gmail.com> On 6/18/07, aslak hellesoy <aslak.hellesoy at gmail.com> wrote:> On 6/19/07, barsalou <barjunk at attglobal.net> wrote: > > Being new to testing and ruby, are there "standard" tests that can be > > done that test for things like cross site scripting and friends? > > > > I suppose you mean http://en.wikipedia.org/wiki/Cross-site_scripting (XSS) > > XSS happens *in* the browser, where Ruby doesn''t run (yet), so I''m not > sure how you think RSpec is relevant. Unless you want to use Watir or > Selenium-RC, which allows you to talk to a browser from Ruby (and > RSpec)I''d say they want to assert, in the views, that user-generated input does not render script tags. Like if I set my user info to be <script>alert(''cookie!'');</script> it should appear in the view as <script>alert and so on. Maybe in the view spec @user.stub!(:info).and_return(''<script>foo</script>'') response.should not_have_tag(''script'') Right? This is exactly the kind of thing I was looking for. I do have a question though. Do the two lines above really test anything? or were you just showing an example of what I might do? Also, the fact that you wrote the dumbass plugin makes me wonder why <%=h user.name =%> is needed? I get what your doing, but why doesn''t escaping happen in the form? Aren''t there protections already built-in, especially in rails, to escape form fields? Can you do this same sort of thing for SQL injection problem as well? Mike B. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
On 6/19/07, barsalou <barjunk at attglobal.net> wrote:> On 6/18/07, aslak hellesoy <aslak.hellesoy at gmail.com> wrote: > > On 6/19/07, barsalou <barjunk at attglobal.net> wrote: > > > Being new to testing and ruby, are there "standard" tests that can be > > > done that test for things like cross site scripting and friends? > > > > > > > I suppose you mean http://en.wikipedia.org/wiki/Cross-site_scripting (XSS) > > > > XSS happens *in* the browser, where Ruby doesn''t run (yet), so I''m not > > sure how you think RSpec is relevant. Unless you want to use Watir or > > Selenium-RC, which allows you to talk to a browser from Ruby (and > > RSpec) > > I''d say they want to assert, in the views, that user-generated input > does not render script tags. > > Like if I set my user info to be <script>alert(''cookie!'');</script> it > should appear in the view as <script>alert and so on. > > Maybe in the view spec > > @user.stub!(:info).and_return(''<script>foo</script>'') > response.should not_have_tag(''script'') > > Do the two lines above really test anything? or were you just showing > an example of what I might do?They''re an approximate example. Your code will look slightly different.> Also, the fact that you wrote the dumbass plugin makes me wonder why > <%=h user.name =%> is needed? I get what your doing, but why doesn''t > escaping happen in the form? Aren''t there protections already > built-in, especially in rails, to escape form fields?That''s what <%=h is. Html escaping. It''s easy to forget. Note there is no trailing> Can you do this same sort of thing for SQL injection problem as well? Mike B.Rails has inbuilt injection safety, provided you follow the suggested practise. I suggest you read up on it before we revoke your rails license: http://manuals.rubyonrails.com/read/chapter/40 :)
We wrote a custom rspec matcher for this, example:
response.should contain_escaped("<u>user name</u>")
The custom matcher first checks that the escaped text appears in the page
(so you know you''re actually checking for something that is really
there)
and then checks that the unescaped text does not appear in the page. It also
makes sure that the text you''ve provided actually contains something
that
can be escaped in it, again failing on bogus examples. I''d be happy to
release it somehow. Failing that here''s the code for it:
module CDD
module CustomRspecMatchers
class ContainEscaped
include ERB::Util
attr_reader :failure_message
def initialize(unescaped)
@unescaped = unescaped
@escaped = html_escape(@unescaped)
end
def matches?(response)
if @escaped == @unescaped
@failure_message = "no HTML in \"#{@unescaped}\""
return false
elsif response.body =~ %r(#{Regexp.escape(@unescaped)})
@failure_message = "unescaped \"#{@unescaped}\" found
in page"
return false
elsif response.body !~ %r(#{Regexp.escape(@escaped)})
@failure_message = "escaped \"#{@unescaped}\" not found
in page"
return false
else
return true
end
end
def negative_failure_message
raise "you can''t use should_not with the contain_escaped
matcher"
end
end
def contain_escaped(unescaped)
ContainEscaped.new(unescaped)
end
end
end
That''s just sitting inside spec_helper.rb, and then of course we
include
CDD::CustomRspecMatchers (I guess that should be CustomRSpecMatchers) inside
the Spec::Runner.configure do block. Any improvement suggestions welcome.
CDD is the name of our company (www.collaborativedrug.com), in case that
wasn''t clear.
Moses
On 6/19/07, Courtenay <court3nay at gmail.com>
wrote:>
> On 6/19/07, barsalou <barjunk at attglobal.net> wrote:
> > On 6/18/07, aslak hellesoy <aslak.hellesoy at gmail.com> wrote:
> > > On 6/19/07, barsalou <barjunk at attglobal.net> wrote:
> > > > Being new to testing and ruby, are there
"standard" tests that can
> be
> > > > done that test for things like cross site scripting and
friends?
> > > >
> > >
> > > I suppose you mean
http://en.wikipedia.org/wiki/Cross-site_scripting(XSS)
> > >
> > > XSS happens *in* the browser, where Ruby doesn''t run
(yet), so I''m not
> > > sure how you think RSpec is relevant. Unless you want to use
Watir or
> > > Selenium-RC, which allows you to talk to a browser from Ruby (and
> > > RSpec)
> >
> > I''d say they want to assert, in the views, that
user-generated input
> > does not render script tags.
> >
> > Like if I set my user info to be
<script>alert(''cookie!'');</script> it
> > should appear in the view as <script>alert and so on.
> >
> > Maybe in the view spec
> >
> >
@user.stub!(:info).and_return(''<script>foo</script>'')
> > response.should not_have_tag(''script'')
> >
> > Do the two lines above really test anything? or were you just showing
> > an example of what I might do?
>
> They''re an approximate example. Your code will look slightly
different.
>
> > Also, the fact that you wrote the dumbass plugin makes me wonder why
> > <%=h user.name =%> is needed? I get what your doing, but why
doesn''t
> > escaping happen in the form? Aren''t there protections
already
> > built-in, especially in rails, to escape form fields?
>
> That''s what <%=h is. Html escaping. It''s easy to
forget. Note there
> is no trailing >
> > Can you do this same sort of thing for SQL injection problem as
> well? Mike B.
>
> Rails has inbuilt injection safety, provided you follow the suggested
> practise. I suggest you read up on it before we revoke your rails
> license: http://manuals.rubyonrails.com/read/chapter/40 :)
> _______________________________________________
> rspec-users mailing list
> rspec-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://rubyforge.org/pipermail/rspec-users/attachments/20070620/9946d971/attachment-0001.html