tags:

views:

230

answers:

4
+14  Q: 

Zero-configuration, automated, random testing tools for web-apps?

In short, I'm looking for a tool to perform an automated, zero-configuration, full-frontal assault on a web application.

I'm thinking this would logically be a browser-extension that both crawls links on a given domain/path, AND randomly inputs data into forms and submits them. Specifically, form input would randomly include various data types, special characters, excessive data, various character encodings, and null values. Multithreading is a necessity (perhaps one plugin simply utilizing multiple Firefox tabs).

The tool does NOT (and should not) need to make any assertions about the results, or verify any application behavior. Instead, the persistence layer (DB records, etc) and applications logs would be used to evaluate the results of this "testing effort."

This would be a tool to complement existing testing tools (Selenium, QuickTestPro) and methodologies that may not have 100% coverage.

Any suggestions for existing or in-development tools? If not, I am eager to start an open-source project.

CLARIFICATION: I am specifically not looking for a penetration testing tool.

UPDATE: I have founded an open source project to satisfy this question. See comments below.

A: 

What about paros? http://www.parosproxy.org/functions.shtml

Toby  2010-01-23 00:07:46
I just installed Paros and tried it against my project. Penetration testing is specifically not my goal, but the tool's capabilities are in line with what I'm looking for... the input behavior would just need to be changed.
Dolph  2010-01-23 06:54:28
+1  A: 

I used the trial of Acunetix for a while. It seemed reasonably effective, although it took longer than I thought it ought to and it's certainly not open source.

I forgot what the thing was called, and this list at SoftwareQATest is where I found it again. That list may be useful to you. The list of testing tools at OWASP looks similarly handy.

keturn  2010-01-25 12:03:14
As I stated in my reply to Toby's answer, I'm specifically NOT looking for a penetration testing tool, nor am I interested in having the tool evaluate any "results." I'm giving you a point for that first list though, even though I couldn't find anything relevant on it.
Dolph  2010-01-25 13:48:30
And yet, "randomly input data [...] include various data types, special characters, excessive data, various character encodings, and null values" is exactly what a web-based pen-testing tool will *do*.
keturn  2010-01-25 23:30:13
_"and it's certainly not open source"_ Oh no, how could it possibly be useful then.
John  2010-02-01 17:01:00
+1  A: 

It sounds like a fuzz testing tool may be what you need; tools like Wapiti will scan your app looking for parameterized URLs and forms to fill out, and use randomly generated data to exercise them.

Here is a good list of web app fuzzing tools.

gareth_bowles  2010-01-27 17:03:40
Fuzzing is definitely the term for what I'm looking for, but none of the tools I can find (that describe themselves as such) offer the basic features that I'm looking for. They're too focused on security, producing narrowly defined inputs, and analyzing the application's response. I'm more interested in simulating an insane user, not a malicious one.
Dolph  2010-01-29 16:09:36
A: 

I'm not sure I've came across anyting that fits the bill exactly, but Sulley is fairly close...

http://code.google.com/p/sulley/

I've never used it first hand, but I've heard it mentioned. Additionally, perhaps check this out:

http://www.owasp.org/index.php/Category:OWASP_JBroFuzz

Dave  2010-02-01 16:58:21
I tried both of those through keturn's answer, and neither was quite right. It looks like I'll be rolling my own solution as an open source Firefox plugin in the near future. Thanks though!
Dolph  2010-02-01 21:23:05

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?