E-mail List Archives
Thread: Tools for automated testing of password-protected sites?
Number of posts in this thread: 6 (In chronological order)
From: cb
Date: Thu, Mar 26 2015 11:04AM
Subject: Tools for automated testing of password-protected sites?
No previous message | Next message →
Hi all,
I'm doing some research on automated site accessibility testing.
Specifically, I'm looking for tools or services that work well with
password-protected sites. How are these things handled? Do you create
dummy accounts on test sites? How do you handle credentials if you
need to test live sites? How about if you're using third-party
authentication such as OAuth or Shibboleth? Do you have any
recommendations for specific tools?
Thanks
Caroline
From: Thomas McKeithan II
Date: Thu, Mar 26 2015 11:59AM
Subject: Re: Tools for automated testing of password-protected sites?
← Previous message | Next message →
Are you looking for an enterprise tool?
Deque's Worldspace tool might help or SSB Bart's AMP platform.
Respectfully,
Thomas Lee McKeithan II
QSSI
http://www.qssinc.com
508 SME, SSQA Solutions Center
10480 Little Patuxent Pkwy , Suite 350
Columbia , MD 21044
(301 )977-7884Â x1058 (Work)
(202) 276-6437 (Cell)
Â
This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic email or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify the sender by reply email and delete the original message (including any attachments) in its entirety.
From: Srinivasu Chakravarthula
Date: Mon, Mar 30 2015 9:23AM
Subject: Re: Tools for automated testing of password-protected sites?
← Previous message | Next message →
+1 to Deque and SSB's tools.
Besides, you may want to try bookmarklet of HTML Code Sniffer
<http://squizlabs.github.io/HTML_CodeSniffer/>.
That said, be sure to do a manual audit too.
Thanks,
Srini
On Thu, Mar 26, 2015 at 11:29 PM, Thomas McKeithan II < = EMAIL ADDRESS REMOVED =
> wrote:
> Are you looking for an enterprise tool?
>
> Deque's Worldspace tool might help or SSB Bart's AMP platform.
>
> Respectfully,
> Thomas Lee McKeithan II
> QSSI
> http://www.qssinc.com
> 508 SME, SSQA Solutions Center
> 10480 Little Patuxent Pkwy , Suite 350
> Columbia , MD 21044
> (301 )977-7884 x1058 (Work)
> (202) 276-6437 (Cell)
>
>
> This electronic mail (including any attachments) may contain information
> that is privileged, confidential, and/or otherwise protected from
> disclosure to anyone other than its intended recipient(s). Any
> dissemination or use of this electronic email or its contents (including
> any attachments) by persons other than the intended recipient(s) is
> strictly prohibited. If you have received this message in error, please
> notify the sender by reply email and delete the original message (including
> any attachments) in its entirety.
>
>
>
From: cb
Date: Tue, Mar 31 2015 11:11AM
Subject: Re: Tools for automated testing of password-protected sites?
← Previous message | Next message →
Thanks for the suggestions. I'm also looking to get feedback from
people who are using these - or any other - tools on
password-protected sites, especially ones that use third-party
authentication where you don't have control over user accounts. How
well does this work? What's the process like for setting it up? Is
there a tool that handles this aspect particularly well?
Thanks
Caroline
On Mon, Mar 30, 2015 at 8:23 AM, Srinivasu Chakravarthula
< = EMAIL ADDRESS REMOVED = > wrote:
> +1 to Deque and SSB's tools.
>
> Besides, you may want to try bookmarklet of HTML Code Sniffer
> <http://squizlabs.github.io/HTML_CodeSniffer/>.
>
> That said, be sure to do a manual audit too.
> Thanks,
> Srini
>
> On Thu, Mar 26, 2015 at 11:29 PM, Thomas McKeithan II < = EMAIL ADDRESS REMOVED =
>> wrote:
>
>> Are you looking for an enterprise tool?
>>
>> Deque's Worldspace tool might help or SSB Bart's AMP platform.
>>
>> Respectfully,
>> Thomas Lee McKeithan II
>> QSSI
>> http://www.qssinc.com
>> 508 SME, SSQA Solutions Center
>> 10480 Little Patuxent Pkwy , Suite 350
>> Columbia , MD 21044
>> (301 )977-7884 x1058 (Work)
>> (202) 276-6437 (Cell)
>>
>>
>> This electronic mail (including any attachments) may contain information
>> that is privileged, confidential, and/or otherwise protected from
>> disclosure to anyone other than its intended recipient(s). Any
>> dissemination or use of this electronic email or its contents (including
>> any attachments) by persons other than the intended recipient(s) is
>> strictly prohibited. If you have received this message in error, please
>> notify the sender by reply email and delete the original message (including
>> any attachments) in its entirety.
>>
>>
>>
From: Karl Groves
Date: Tue, Mar 31 2015 12:00PM
Subject: Re: Tools for automated testing of password-protected sites?
← Previous message | Next message →
Caroline,
Testing behind authentication is hit or miss for any tool. HTTP
authentication (also often referred to as Basic authentication or
realm authentication) is probably the easiest for a tool to use
because it uses standardized HTTP headers etc. to do it.
After that, all best are off, really. Many sites use cookies and/ or
session IDs to determine whether the user is authenticated or not.
There are two concerns in this scenario: First, the tool must be able
to pass through the necessary ID/PW combination to establish the
session and Second the tool must be able to save & persist the
cookie(s) and pass back the necessary requests that the server makes
for that detail.
In short, if testing behind authentication is important, you really
want to take the time to verify any vendor's claim that their tool can
do so on your system(s).
Karl
On Tue, Mar 31, 2015 at 12:11 PM, cb < = EMAIL ADDRESS REMOVED = > wrote:
> Thanks for the suggestions. I'm also looking to get feedback from
> people who are using these - or any other - tools on
> password-protected sites, especially ones that use third-party
> authentication where you don't have control over user accounts. How
> well does this work? What's the process like for setting it up? Is
> there a tool that handles this aspect particularly well?
>
> Thanks
>
> Caroline
>
> On Mon, Mar 30, 2015 at 8:23 AM, Srinivasu Chakravarthula
> < = EMAIL ADDRESS REMOVED = > wrote:
>> +1 to Deque and SSB's tools.
>>
>> Besides, you may want to try bookmarklet of HTML Code Sniffer
>> <http://squizlabs.github.io/HTML_CodeSniffer/>.
>>
>> That said, be sure to do a manual audit too.
>> Thanks,
>> Srini
>>
>> On Thu, Mar 26, 2015 at 11:29 PM, Thomas McKeithan II < = EMAIL ADDRESS REMOVED =
>>> wrote:
>>
>>> Are you looking for an enterprise tool?
>>>
>>> Deque's Worldspace tool might help or SSB Bart's AMP platform.
>>>
>>> Respectfully,
>>> Thomas Lee McKeithan II
>>> QSSI
>>> http://www.qssinc.com
>>> 508 SME, SSQA Solutions Center
>>> 10480 Little Patuxent Pkwy , Suite 350
>>> Columbia , MD 21044
>>> (301 )977-7884 x1058 (Work)
>>> (202) 276-6437 (Cell)
>>>
>>>
>>> This electronic mail (including any attachments) may contain information
>>> that is privileged, confidential, and/or otherwise protected from
>>> disclosure to anyone other than its intended recipient(s). Any
>>> dissemination or use of this electronic email or its contents (including
>>> any attachments) by persons other than the intended recipient(s) is
>>> strictly prohibited. If you have received this message in error, please
>>> notify the sender by reply email and delete the original message (including
>>> any attachments) in its entirety.
>>>
>>>
>>>
From: Yamanishi, Evan
Date: Tue, Mar 31 2015 2:46PM
Subject: Re: Tools for automated testing of password-protectedsites?
← Previous message | No next message
It sounds like you're looking for more of a bot or web crawler, but it's worth mentioning that WebAIM's Wave extension (Chrome and Firefox) works on production sites or sites behind authentication. It still requires a user to log in and run the extension, but it's more automated than manually inspecting code to find WCAG failures.
Chrome: http://wave.webaim.org/extension/
Firefox: http://wave.webaim.org/toolbar/
Evan