[rspec-users] Testing for cross site scripting, etc.

Courtenay court3nay at gmail.com
Mon Jun 18 19:51:55 EDT 2007


i have a plugin called "dumbass".  It just greps through your views
and looks for things like

  <%= user.name %>

which should be

  <%=h user.name %>

The name comes from the word I called myself when I found I'd
forgotten to do that over and over in one app.

  script/plugin install svn://caboo.se/plugins/court3nay/dumbass

run it with

  rake dumbass

I'm eager to find other simple ways of detecting vulnerabilities.

I actually have another plugin/script (spider_test) which is a rails
integration test; it spiders over your whole app looking for errors.

One of its features is to randomly fill in your forms (a weak form of
fuzzing).  I would really like to expand that so that it pushes sql
injection and XSS and other types of security issues.

Is that what you meant?

On 6/18/07, barsalou <barjunk at attglobal.net> wrote:
> Being new to testing and ruby, are there "standard" tests that can be
> done that test for things like cross site scripting and friends?
>
> If not, anyone have ideas on what I might do about testing those sorts
> of things?
>
> I'll be using rails, also.
>
> Mike B.
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> _______________________________________________
> rspec-users mailing list
> rspec-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users
>


More information about the rspec-users mailing list