syntax for check_http

[mcapra]

The document @tmcdonald linked is basically the quick FAQ. Were there any particular parts of the document that were unclear or not descriptive enough? It's pretty impossible to offer specific advice without knowing the full structure of the web pages we're dealing with.

[emartine]

Yes this section here:

<sitechecks repeat="1">
<testvar varname="USER">
[email protected]
</testvar>
<testvar varname="PASS">
holden123
</testvar>



Username syntax must be @ with server name or is that just the name that is being used?
Also if passwords have special characters such as ! ( or . would it be interpreted or how can I escape that? Sorry I am not XML savvy and I understand that there



I created a simple configuration file that just verifies that an account can login. The second case I want to create would be a search for a string on the page to verify that it exists i.e. the page loaded properly. I understand that auth can be integrated into the case? Please correct me if I am wrong on this.

<testcases repeat="1">

<case
id="1"
description1="Login page"
url="https://mywebsites/Dashboard(7.0)"
/>
<case
id="2"
description="Sign in"
method="post"
url="https://mywebsites/Dashboard(7.0)"
postbody="username=use\s.something&password=longpassword!with.andalsoa?"
verifypositive="search for this string on page"
/>
</testcases>


perl webinject.pl test_site.xml

Starting WebInject Engine...

-------------------------------------------------------
Test: test_site.xml - 1
Login page
Passed HTTP Response Code Verification (not in error range)
TEST CASE PASSED
Response Time = 0.094 sec
-------------------------------------------------------
Test: test_site.xml - 2
Verify : "search for this string on page"
Failed Positive Verification
Passed HTTP Response Code Verification (not in error range)
TEST CASE FAILED
Response Time = 0.023 sec
-------------------------------------------------------

Start Time: Fri Jul 29 01:13:51 2016
Total Run Time: 0.176 seconds

Test Cases Run: 2
Test Cases Passed: 1
Test Cases Failed: 1
Verifications Passed: 2
Verifications Failed: 1

[mcapra]

Yes this section here:
<sitechecks repeat="1">
<testvar varname="USER">
[email protected]
</testvar>
<testvar varname="PASS">
holden123
</testvar>

The above section would be applicable only for basic authentication.

Lets say I have a dirt simple page named form.php with a dirt simple form that accepts a username and a password:

2016_07_29_09_58_38_Welcome_.png

The code for this form:

Code: Select all

<form method="POST" action="form.php?action=submit">
    <input type="text" name="username"/>
    <input type="password" name="password"/>
    <input type="submit" name="submit" value="submit"/>
</form>

The action value is form.php?action=submit and there's PHP handling that action (again, dirt simple):

Code: Select all

<?php
        if(isset($_GET['action']))
        {
                if(($_POST['username'] == 'use\s.something') && ($_POST['password'] == 'longpassword!with.andalsoa?'))
                        echo 'SUCCESS';
                else echo 'FAILURE';
                exit();
        }
?>

The PHP is going to check the POST data to make sure the username is use\s.something and the password is longpassword!with.andalsoa?. If the credentials are right, print "SUCCESS". If they're wrong, print "FAILURE". We would like to know if the login was successful. The WebInject test case I created for this is as follows:

Code: Select all

<case
    id="1"
    description="Login"
    method="post"
    url="http://www.test.com/form.php?action=submit"
    postbody="username=use\s.something&password=longpassword!with.andalsoa?"
    verifypositive="SUCCESS"
/>

So you've got the right idea generally. However, I can't say if a specific test case will work for a specific web page without having that page's complete structure. There's a lot of variables that go into (well implemented) form validation/submission.

[emartine]

Here is our test cases that we are trying to create. We are unable to login to the main page to do a validation however.

<testcases repeat="1">

<case
id="1"
description1="Login page"
url="https://website.com/login.aspx"
verifypositive="Login"
parseresponse1='__VIEWSTATE" value="|"|escape'
parseresponse2='__VIEWSTATEGENERATOR" value="|"|escape'
parseresponse3='__EVENTVALIDATION" value="|"|escape'

/>
<case
id="2"
description="Sign in"
logrequest="yes"
method="post"
url="https://website.com/login.aspx"
postbody="ctl00$content$userNameTextBox=s.user&ctl00$content$passwordTextBox=somepass&__VIEWSTATE={PARSEDRESULT1}&__VIEWSTATEGENERATOR={PARSEDRESULT2}&__EVENTVALIDATION={PARSEDRESULT3}&ctl00$content$logOnButton=Log%20In"
verifypositive="login page title"
/>
</testcases>


Below is what the login page form looks like. Can you help with the above syntax?
We have strange variables that have $ in them and we have values with spaces is this a problem.
The first case passes and grabs the variables we need, the second case only passes when we have content that only exists on the login page which is what happens when authentication fails.


<input type="hidden" name="__LASTFOCUS" id="__LASTFOCUS" value="" />
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="FCqv=" />

<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="90A98831" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="gmLn/tvDDe3+c1n1ET+OdBem3cIg3NHHQ==" />
<input name="ctl00$content$offsetMinutesHidden" type="hidden" id="offsetMinutesHidden" />
<input name="ctl00$content$userNameTextBox" type="text" id="ctl00_content_userNameTextBox" tabindex="1" class="textField first fixPlaceholder" autocomplete="off" placeholder="Username" title="Username" onfocus="SelectAllText('ctl00_content_userNameTextBox');" />
<input name="ctl00$content$passwordTextBox" type="password" id="ctl00_content_passwordTextBox" tabindex="2" class="textField last fixPlaceholder" autocomplete="off" placeholder="Password" title="Password" onfocus="SelectAllText('ctl00_content_passwordTextBox');" />
<input id="ctl00_content_rememberMeCheckBox" type="checkbox" name="ctl00$content$rememberMeCheckBox" tabindex="3" /><label for="ctl00_content_rememberMeCheckBox">Save my login information</label>
<input type="submit" name="ctl00$content$logOnButton" value="Log in" onclick="javascript:WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions("ctl00$content$logOnButton", "", true, "loginControl", "", false, false))" id="ctl00_content_logOnButton" tabindex="4" class="LoginButton" />

[mcapra]

I replicated that DOM structure and didn't have any issues with the following test case:

Code: Select all

<case
    id="1"
    description="Login"
    method="post"
    url="http://www.test.com/form.php?action=submit"
    postbody="ctl00$content$userNameTextBox=use\s.something&ctl00$content$passwordTextBox=longpassword!with.andalsoa?"
    verifypositive="SUCCESS"
/>

I don't think it's a special characters issue. At this point i'm fairly certain there is something in the back-end of login.aspx that is preventing this test case from succeeding.

Pure speculation (haven't worked with ASP.NET in a while and I can't see the source), but I'm thinking one of the __VAR values or hidden fields is being malformed or the form is getting conflicting values. Possible as some sort of brute-force login protection.

It's hard for us to troubleshoot specific test cases without having a full understanding of the back-end. You could try leveraging Selenium for this, as it can avoid some of those considerations by manipulating the browser directly. That environment is much heavier than WebInject though.