Testing Specific Network Requests Quickly

Previous page
Table of content
Next page

Testing Specific Network Requests Quickly

You have seen how the proxy testing approach can easily be used to intercept client network requests, manipulate them, and send them to the server. As mentioned earlier, this works well for making a single change, but testing many different manipulations of a single network request one at a time requires triggering the client to make the network request each time so that the modification can be made in the proxy. Sometimes getting the client to make the desired network request requires many steps. This can quickly become time-consuming . A more efficient approach for testing multiple manipulations of a specific network request is to use a program that sends the desired modified network request directly to the test server.

WFetch is a tool that enables you to make custom HTTP requests. To exert the most control over the request, you can use Raw Request mode. For example, in the ticket-ordering example discussed earlier, to make modified versions of the ticket reservation request capture the normal request in Web Proxy Editor (as shown in Figure 4-7), copy the request, and paste it into the large Raw Request text box, as shown in Figure 4-11.

image from book
Figure 4-11: Making custom HTTP requests in WFetch to test many variations of a single request quickly

Then, any part of the request can be modified. What happens when the alphabetic string abc is sent as the Ticketcount instead of the expected numeric value? To test this, change to the last few characters of the raw request from 4 to abc (see Figure 4-12). Because the request is now longer by two characters , update the Content-Length header from 27 to 29. (WFetch doesn t update the Content-Length header in Raw Request mode but does in the other modes available.)

image from book
Figure 4-12: Changing the numeric Ticketcount value to an alphabetic value, which results in a server-side VBScript runtime error
Tip  

HTTP requests can be made without specifying the Content-Length . Often, it is easiest to remove this header when you make many modifications in WFetch so that it isn t necessary to recalculate the value manually for each request. However, it is sometimes interesting to test by using correct and incorrect values to exercise additional code paths.

After sending the request to the server, the WFetch log output window shows the server s response. In this case, a VBScript error occurred on the server. The input abc doesn t cause the server to crash, but does cause an information disclosure bug that shows that VBScript is being used on the server and that there was a type mismatch on line 21 of ticketProcessor.asp. Information disclosure bugs are discussed in more detail in Chapter 7.


Previous page
Table of content
Next page
Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156
Authors: Tom Gallagher, Lawrence Landauer, Bryan Jeffries
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
SQL Tips & Techniques (Miscellaneous)
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy