E-mail List Archives
Re: Tools for automated testing of password-protected sites?
From: Karl Groves
Date: Mar 31, 2015 12:00PM
- Next message: Yamanishi, Evan: "Re: Tools for automated testing of password-protectedsites?"
- Previous message: cb: "Re: Tools for automated testing of password-protected sites?"
- Next message in Thread: Yamanishi, Evan: "Re: Tools for automated testing of password-protectedsites?"
- Previous message in Thread: cb: "Re: Tools for automated testing of password-protected sites?"
- View all messages in this Thread
Caroline,
Testing behind authentication is hit or miss for any tool. HTTP
authentication (also often referred to as Basic authentication or
realm authentication) is probably the easiest for a tool to use
because it uses standardized HTTP headers etc. to do it.
After that, all best are off, really. Many sites use cookies and/ or
session IDs to determine whether the user is authenticated or not.
There are two concerns in this scenario: First, the tool must be able
to pass through the necessary ID/PW combination to establish the
session and Second the tool must be able to save & persist the
cookie(s) and pass back the necessary requests that the server makes
for that detail.
In short, if testing behind authentication is important, you really
want to take the time to verify any vendor's claim that their tool can
do so on your system(s).
Karl
On Tue, Mar 31, 2015 at 12:11 PM, cb < <EMAIL REMOVED> > wrote:
> Thanks for the suggestions. I'm also looking to get feedback from
> people who are using these - or any other - tools on
> password-protected sites, especially ones that use third-party
> authentication where you don't have control over user accounts. How
> well does this work? What's the process like for setting it up? Is
> there a tool that handles this aspect particularly well?
>
> Thanks
>
> Caroline
>
> On Mon, Mar 30, 2015 at 8:23 AM, Srinivasu Chakravarthula
> < <EMAIL REMOVED> > wrote:
>> +1 to Deque and SSB's tools.
>>
>> Besides, you may want to try bookmarklet of HTML Code Sniffer
>> <http://squizlabs.github.io/HTML_CodeSniffer/>.
>>
>> That said, be sure to do a manual audit too.
>> Thanks,
>> Srini
>>
>> On Thu, Mar 26, 2015 at 11:29 PM, Thomas McKeithan II < <EMAIL REMOVED>
>>> wrote:
>>
>>> Are you looking for an enterprise tool?
>>>
>>> Deque's Worldspace tool might help or SSB Bart's AMP platform.
>>>
>>> Respectfully,
>>> Thomas Lee McKeithan II
>>> QSSI
>>> http://www.qssinc.com
>>> 508 SME, SSQA Solutions Center
>>> 10480 Little Patuxent Pkwy , Suite 350
>>> Columbia , MD 21044
>>> (301 )977-7884 x1058 (Work)
>>> (202) 276-6437 (Cell)
>>>
>>>
>>> This electronic mail (including any attachments) may contain information
>>> that is privileged, confidential, and/or otherwise protected from
>>> disclosure to anyone other than its intended recipient(s). Any
>>> dissemination or use of this electronic email or its contents (including
>>> any attachments) by persons other than the intended recipient(s) is
>>> strictly prohibited. If you have received this message in error, please
>>> notify the sender by reply email and delete the original message (including
>>> any attachments) in its entirety.
>>>
>>>
>>>
- Next message: Yamanishi, Evan: "Re: Tools for automated testing of password-protectedsites?"
- Previous message: cb: "Re: Tools for automated testing of password-protected sites?"
- Next message in Thread: Yamanishi, Evan: "Re: Tools for automated testing of password-protectedsites?"
- Previous message in Thread: cb: "Re: Tools for automated testing of password-protected sites?"
- View all messages in this Thread