I am working on XPath Injection attack, so looking forward to build a tool to detect XPath Injection in a website. Is web crawling and scanning used for this?
What can be the logic to detect it?
Are there any open source tools to detect it, so that i can develop it in Java by looking at logic used in that code.
WebCruiser Web Vulnerability Scanner include an XPath Injection Tool inside.
Related
Specifically, I want to run some analysis on the issues generated and rules violated. So I want to design the system to have a few click actions in the web interface of sonar and initiate the analysis in the back-end. The reason for this is that the analyses are run only during some cases and I don't want the instance with my plugin to have additional load during each run.
Also if possible could you point me in the right direction?
I couldn't find anything on here. http://docs.sonarqube.org/display/DEV/Web+API
Please note I have been searching this very recently and am also new to SonarQube.
SonarQube server is for performing analysis only. What I was looking was for the server to give the user access to control the analysis. But using independent plugins to do static analysis could work.
I solved this issue by splitting the plugin into
A plugin for doing inline analysis work (if a need for doing our own static analysis arises)
A WebApp to classify issues, listing them by projects, etc.
This approach seemed more attractive when after discussion, we decided that all functions we wanted out widget to do, our WebApp itself could do. From SonarQube version 6.2, the ruby APIs are going to be deprecated and so moving to a REST-based approach would give an enduring solution.
The closest thing I've found is their Elasticsearch Plugins and Integrations
page, which doesn't help. I was following their out of date tutorial to make a "hello world" plugin, but I can't find any documentation on the classes used. Is there a page with information on what each class does, or do I have to look at the code to figure it out on my own?
To quote elastic search developer Adrien Grand(jpountz) "No, there is no guide about writing plugins and the API is actually quite unstable. The plugin API is mainly a way for us to provide additional functionality through plugins so that we do not have to fold everything into a single release artifact that would be quite huge. Some community membors have writter plugins by taking inspiration of existing plugins but we do not want to commit on a stable API for plugins as this might prevent us from improving other areas of elasticsearch."
The only real way of learning about developing a plugin is trying to find something similar and modifying it to suite your needs. Developing anything remotely complex will require an extensive knowledge of the ES codebase. I suggest you look into some plugins developed by jprante to get started.
We are looking at cucumber for our automation test framework because everyone including business people can understand it.
We use Angualr JS frontend and Java REST backend. Our team that is going to write the step definitions likes Ruby so we want to stick with Ruby for that.
Also we would like to use Maven to tie this process into our build process.
Will cucumber be a good fit given that story above ?
Hui Peztherez, from my prospective cucumber is a great choice, using it with the same architecture expect for Angular.
We are using Maven too, and it's so useful to orchestrate them with Jenkins, using maven to run the tags..
mvn test -Dcucumber.options="--tags #smoke"
ref: https://cucumber.io/docs/reference/jvm
Also Jenkins have several plugin to report the Cucumber Analysis, so useful for testers, and in the end, we are now working about the HPQ server integration with a plugin called Bumblebee (this part is still under development for both sides, our and bumblebee)
Another good choice is Ruby, you can take the step definition so easily defined with Ruby...
We also have a integration with Selenium for the front end side, and it works as well...
So go further!
We are using Cucumber in Java with gradle in past, It was in Maven and It works fine. We have framework for UI and API, In UI we used WebDriver to write step definition and In API, We used RestAssured to write step definition. You can do same thing in Java what you can do in Ruby.
Maven for Java Cucumber :
http://mvnrepository.com/artifact/info.cukes/cucumber-java/1.2.4 - Please add other dependency as per requirement.
Jenkin Plugin : https://wiki.jenkins-ci.org/display/JENKINS/Cucumber+Reports+Plugin
Will cucumber be a good fit given that story above ?
- Yes It is good fit. I will request you to show POC(Proof of concept) to management. I had experience in past that management have no clue about BDD and they have very hard to time to understand coverage. We did very deep dive to provide all information to them. It is very important to answer following question to management
BDD report is providing accurate test converage idea to management ?
Everyone in team is able to write feature file and able to provide same quality of feature file
Feature file and BDD report will be starting tool for check test converage
Thank you.
Please be aware that Cucumber is a BDD framework that can be used on top of a browser automation framework like Selenium WebDriver/Watir/Protractor they are two distinct things. Most of them implements Selenium WebDriver's protocol.
My only concern is for you using Maven in that project setup, I know that you can run ruby code in a JVM by using JRuby. But I'm not sure which plugin you'd use to trigger that from Maven.
I'm working with an application that uses and manages a large amount of OSGi services and implementations for each service, with properties, dynamism and so. Using the command line of the Equinox console is useful, with commands like services or list -c . However, it is difficult to see specific implementations of services, and obtain a current snapshot of bounded or available services to consume. For example, you can see if the bundle references are satisfied, but you can't see which are the implementations of those satisfied references (although there are another mechanisms, of course).
So, the idea is to find a GUI with organized information (for example, using graphs) to increase the performance when you are developing in OSGi. Maybe there is one GUI in Eclipse plug-in perspective, but I can't find it.
If you don't know anything like this, I've in mind to create my own for my thesis :)
Eclipse has its Plug-in Registry view:
Window > Show View > Other... > Plug-in Development -> Plug-in Registry
This view comes with the Plug-in Development Environment (PDE), so you'll need to either use Eclipse Classic or Eclipse for Plug-in Developers or install it additionally through the standard Eclipse update mechanism.
The view can show the plugins, running in the current Eclipse instance and group them by plugin, extension points or services. I believe the last option is what you are searching for.
Although there was some work to make this view show remote content as well, it appears that this functionality hasn't made it to the normal Eclipse release.
Another tool, which can assist you in OSGi development is mToolkit. It is open source project, specifically aimed at helping developing in OSGi environments.
It provides similar view to the Plug-in Registry, but it only shows information about the OSGi bundles and services. It doesn't support nothing outside OSGi specification, so no plug-in registry inspection.
The Apache Felix console provides a web interface to manage OSGi services (and many other things) - I haven't tested it with Equinox but it has minimal dependencies so it should work in most OSGi environments. See http://felix.apache.org/site/apache-felix-web-console.html
I would checkout Peter Krien's Xray http://softwaresimplexity.blogspot.com/2012/07/xray-again.html
Have you looked at Knopflerfish and Apache Felix UIs? I think, they could be installed on top of Equinox as well.
I'm interested in using the Lightweight Testing Automation Framework (LTAF) to create integration tests for my web application. However, I need it to be run on the build server. Does anyone know if this can set up to do this?
There does not seem to be a whole lot of information on the web on this right now :-)
There's a blog post (Lightweight Test Automation Framework – Automated Build Support) that describes how to implement the runner as a console application, it can then be integrated into a build server fairly simply by redirecting the build output and setting the return code appropriately.
The author posted the code used in the article, you can download it from here.
I don't have experience with LTAF, but found this nice article:
First steps with Lightweight Test Automation Framework
Quoting the author (Steve Sanderson, from the comments):
Lightweight Test Automation Framework
can be invoked with query string
parameters (to specify which tests to
run) and can emit a log of the results
to a text file, so it would be
possible to integrate it. However,
this is certainly not as easy as using
Selenium RC which as you say works
through a traditional test runner.