SlideShare ist ein Scribd-Unternehmen logo

The Evil Tester's Guide to HTTP proxies Tutorial

Alan Richardson
Alan Richardson

A tutorial given at May TestNet 2013. An overview of out of the box Web Browsers, BurpSuite and Fiddler

Technologie
1 von 63
Downloaden Sie, um offline zu lesen
The Evil Tester's Guide to HTTP Proxies A Tutorial for TestNet May 2013 Alan Richardson @eviltester www.eviltester.com www.compendiumdev.co.uk www.seleniumsimplified.com @eviltester slides: http://unow.be/at/gtn_tute
Logistics ● 09:30 ● xx:xx half hour break ● 13:00 Only 3 hours! 1st Hour: Theory & Modern Browsers ● 20 mins Intro, basic theory ● 5 Mins 'Modern Browsers ● 5 Mins Demo ● 15 minutes browser exercise ● 15 minutes debrief 2nd Hour: BurpSuite ● 10 mins Introduction to proxies ● 20 mins BurpSuite overview ● 15 minutes BurpSuite Exercise ● 15 minutes BurpSuite debrief and questions 3rd Hour: Fiddler & End Notes ● 15 mins fiddler overview ● 15 minute Exercise ● 15 minute debrief and questions ● 10 minute end notes ● 5 minutes Q&A @eviltester slides: http://unow.be/at/gtn_tute
Blurb: Evil Tester guide - HTTP proxies I test a lot of web applications. I use proxy servers to interrogate and manipulate web traffic. So in this tutorial I want to introduce you to the basics of proxy servers, using BurpSuite and Fiddler. We will cover and go beyond the obvious interrogation and manipulation traffic and also look at how to use autoresponders, custom rules and traffic generators. The different capabilities of the tools and how to use them in combination. And as a bonus we will look at the new features in modern browsers that help you achieve some of the proxy benefits out of the box, for those moments when you have to test unarmed. As well as the tools I want to cover the thought processes and models that help you get the best from the tools because "Form can follow features" and "Terrain can inform technique". @eviltester slides: http://unow.be/at/gtn_tute
Technical Web Testing: A Model @eviltester slides: http://unow.be/at/gtn_tute
The MORIM Loop ● ● ● ● ● Model Observe Reflect Interrogate Manipulate @eviltester slides: http://unow.be/at/gtn_tute
The MORIM Loop - Model ● Model ○ ● ● ● ● Build a layered model of the application functionality, flows, technology usage, etc. Observe Reflect Interrogate Manipulate @eviltester slides: http://unow.be/at/gtn_tute
The MORIM Loop - Observe ● Model ● Observe ○ ○ ○ ○ At every layer, what can you see? Can you increase the depth of observation. Do you understand what you see? What else could you observe? ● Reflect ● Interrogate @eviltester slides: http://unow.be/at/gtn_tute
The MORIM Loop - Reflect ● Model ● Observe ● Reflect ○ ○ ○ ○ ○ Expand the model, Intent - for deliberate action Analyse the observations What does that imply? How? Risks? What else? When? ● Interrogate @eviltester ● Manipulate slides: http://unow.be/at/gtn_tute
The MORIM Loop - Interrogate ● ● ● ● Model Observe Reflect Interrogate ○ ○ ○ ○ Deep dive into observed data Breakpoint Correlate data changes with state etc. ● Manipulate @eviltester slides: http://unow.be/at/gtn_tute
The MORIM Loop - Manipulate ● ● ● ● ● Model Observe Reflect Interrogate Manipulate ○ ○ ○ ○ @eviltester Edit the data Change the state Edit the communication Change the environment context e.g. speed, memory, etc. slides: http://unow.be/at/gtn_tute
The MORIM Loop - Utilisation ● ● ● ● ● Repeat Transpose - do the events in any order Learn Deliberately decide what to try next Do it - take advantage of what happens @eviltester slides: http://unow.be/at/gtn_tute
During all the exercises; Consider: Observation ● What are you observing. What are you not observing. What do you want to observe? Why? Interrogation ● What do you want to see in more detail? How can you do that? Why? Manipulation ● What do you want to amend? How could you? Why? @eviltester slides: http://unow.be/at/gtn_tute
Our Basic Web Technology Knowledge @eviltester slides: http://unow.be/at/gtn_tute
High Level Generic Architecture Browser Server Traffic <-HTTP-> ● ● ● ● ● ● ● ● ● ● @eviltester client side state Cookie Management Local Storage HTML rendering JavaScript Execution etc. ● ● ● forms XML JSON etc. ● Web Server App Server Database server side state slides: http://unow.be/at/gtn_tute
Introduction to Modern Browsers @eviltester slides: http://unow.be/at/gtn_tute
Modern Browsers ● Dev Tools ● Observe Network Traffic ● Interrogate & Manipulate ○ DOM ○ Data - cookies, local storage ● Differing capabilities between browsers "Don't get hung up on 'I need to test on BrowserX' - use them all, even while you focus on BrowserX" @eviltester slides: http://unow.be/at/gtn_tute
Quick Demo of Modern Browser ● Interrogate Dom? ● Manipulate Dom? ● Observe Cookies? ● Interrogate Cookies? ● Manipulate Cookies? ● Observe Network Traffic? ● Interrogate Traffic? ● Manipulate Traffic? @eviltester slides: http://unow.be/at/gtn_tute
Augment Browsers ● Out of the box experience continually improves ● Use browser plugins to increase the functionality of the browser even further @eviltester slides: http://unow.be/at/gtn_tute
Gruyere - Cloud app to test against A Google App Engine hosted application to learn security testing for common vulnerabilities. Read the Instructions ● http://google-gruyere.appspot.com/ Create a new instance ● http://google-gruyere.appspot.com/start @eviltester slides: http://unow.be/at/gtn_tute
For local App Testing ● WebGoat ○ http://code.google.com/p/webgoat/ Or anything from BitNami bitnami.org
Modern Browser Exercise 1. Decide on a browser: IE, Firefox, Opera, Chrome 2. Find the Dev Tools in the browser 3. Visit http://google-gruyere.appspot.com/start 4. Explore and investigate the Browser capabilities using this app 5. Debrief in 15 mins ● What "Observe, Interrogate, Manipulate" capabilities did the browser have? ● What did you want them to have? ● Other thoughts? @eviltester slides: http://unow.be/at/gtn_tute
For full control, Use a Proxy... @eviltester slides: http://unow.be/at/gtn_tute
Introduction to Proxies @eviltester slides: http://unow.be/at/gtn_tute
What is an HTTP Proxy? ● Sits between browser and server ● route all requests through the proxy Browser -> Request -> Proxy -> Server Browser <- Proxy <- Response <- Server Https handled by 'man in the middle' certificate use. @eviltester slides: http://unow.be/at/gtn_tute
Why should a tester care? ● Learn ○ HTTP ○ JSON ○ App Architecture ● ● ● ● Observe & Manipulate Traffic Simulate Network Speeds Simulate different browsers Test new css and js without a release to main site ● Test extreme '4xx', '5xx' conditions @eviltester slides: http://unow.be/at/gtn_tute
When should you use it? ● Almost all the time @eviltester slides: http://unow.be/at/gtn_tute
When should you not use it? ● confirm a defect happens without the proxy ● streaming? ● long polling? A proxy is invasive, and can impact your results. So you need to double check your results without the proxy. But the value trumps the risk. @eviltester slides: http://unow.be/at/gtn_tute
How? Quick Demo @eviltester slides: http://unow.be/at/gtn_tute
Proxies and their capabilities @eviltester slides: http://unow.be/at/gtn_tute
Proxies we will cover today ● BurpSuite ● Fiddler ● Capabilites ● Demos ● Exercises @eviltester slides: http://unow.be/at/gtn_tute
Generic Testing Requirements Traffic {Request, Response} CRUD ● Create - Generate new requests ● Read - Observe Traffic ○ Requests ○ Responses ● Update ○ Manipulate Requests & Responses ■ Manually ■ Automatically ○ Replay Requests ● Delete - block requests or responses @eviltester slides: http://unow.be/at/gtn_tute
Configure Browser to use a Proxy
Configure Browser to use a Proxy ● Chrome, IE all use the System Internet Settings ● Firefox and Opera can maintain proxy settings independently of system settings
Configure Chrome to use a Proxy ● ChromeSettings search for proxy ● Use the normal system proxy settings ● Chrome Incognito and normal mode share proxy settings
Configure Firefox to use a Proxy ● FirefoxOptions ○ AdvancedNetwork ■ Connection [Settings...] ■ Manual proxy configuration: ■ use value listed in ProxyOptions Listeners ■ ignore the "No Proxy For" ● If you already configured IE or Chrome then you could use System Proxy Settings
Configure Opera to use a Proxy ● SettingsPreferences ○ AdvancedNetwork ○ [Proxy Servers...] ○ use config from ProxyOptions ● F12 can quickly toggle proxy on off once configured
Configure IE to use a Proxy ● Config options ○ Connections ■ Lan settings ● Use Proxy Server ○ use details from ProxyOptions
You may be asked about proxy certificate (BurpSuite portswigger) ● Adhoc - Add it as an exception ● To remove exception ○ Firefox ■ OptionsAdvancedEncryption ■ view certificates ● servers (PortSwigger) ○ Chrome ■ Settings search for manage certificates ○ Opera ■ Preferences ● ● AdvancedSecurity Manage Certificates... ○ IE ■ Config Internet Options Content [Certificates]
BurpSuite @eviltester slides: http://unow.be/at/gtn_tute
What is BurpSuite? ● Java based Proxy ● Professional and Free License ○ Pro designed for security professionals ○ Free version usually good enough for testing ● Book: "The Web Application Hacker's Handbook" ● http://portswigger.net/burp/download.html @eviltester slides: http://unow.be/at/gtn_tute
Basic Features For Testing ● ● ● ● ● ● Proxy Spider Repeater Sequencer Decoder Comparer @eviltester slides: http://unow.be/at/gtn_tute
How to Install & Run ● Download the .jar file ○ http://portswigger.net/burp/download.html ● Double click or "java -jar burpsuite_free_vx. x.jar" ○ where x.x is the version you downloaded @eviltester slides: http://unow.be/at/gtn_tute
BurpSuite Basics ● ● ● ● ● ● ● ● ● ● Tabbed GUI ProxyOptions Configure Browser Intercept Obeserve with History Tab Repeater to replay and manipulate Site Map Spider Decoder Intruder - variety of params @eviltester slides: http://unow.be/at/gtn_tute
Exercise - explore tool and proxy capabilities ● 20 mins explore, 10 mins debrief ● Use BurpSuite on guyere ○ ○ ○ ○ ○ Setup the proxy Config browser to point to browser Choose a site and browse View the Traffic View sitemap ■ visit pages you haven't been that sitemap found ○ Repeat requests ○ Tamper Traffic ○ do any of the pages lend themselves to sequencing? @eviltester slides: http://unow.be/at/gtn_tute
Debrief ● Comments, Questions? @eviltester slides: http://unow.be/at/gtn_tute
Fiddler @eviltester slides: http://unow.be/at/gtn_tute
What is Fiddler? ● .net based (v2 & v4) ● http://www.fiddler2.com/ ● now owned by Teleric @eviltester slides: http://unow.be/at/gtn_tute
Obvious Differences ● Automatically hooks into Windows System Proxy ○ IE & Chrome use by default without configuration ○ This makes it good for beginners ● HTTPS decryption off by default ○ Tools Fiddler Options ■ HTTPS tab ● @eviltester Decrypt HTTPS traffic slides: http://unow.be/at/gtn_tute
Fiddler Extensions ● www.fiddler2.com/fiddler2/extensions.asp ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ @eviltester ○ Formatters Windows 8 "Metro" Android & iOS Certificate maker Request Differ SAZ Clipboard Util Geo spoofing Rules Editor Privacy Scanner Performance Tester Helper Stress Testing Security Testing - Watcher & Ammonite & X5s Fuzzing - intruder21 slides: http://unow.be/at/gtn_tute etc.
Fiddler Basics ● ● ● ● ● ● ● ● ● ● ● ● Firefox Hook "Tools Monitor with Fiddler" WebSessions Pane - History Statistics Tab Inspectors Tab AutoResponder Tab Composer Tab Filters Tab Timeline Tab Config Options Decode with TextWizard Replay Export Sessions
Exercise - explore proxy functionality and compare with BurpSuite ● ● ● ● Any new functionality I didn't mention? Which is easier? Any missing functionality? Can you chain proxies? @eviltester slides: http://unow.be/at/gtn_tute
Psychology of Proxying @eviltester slides: http://unow.be/at/gtn_tute
Isn't this just Security Testing? Yes, No? Opinions? @eviltester slides: http://unow.be/at/gtn_tute
Observation & Manipulation Comments on what you observed? ● What didn't you observe? ● What did you want to observe? ● What could you not observe? Comments on Manipulation? ● What did you manipulate? ● What did you want to manipulate? ● What could you not manipulate? @eviltester slides: http://unow.be/at/gtn_tute
What makes a difference? You can manipulate a whole bunch of things, why would you want to manipulate the: ● ● ● ● ● Header? Body? Request URI? Params? Payload? @eviltester slides: http://unow.be/at/gtn_tute
Inspiration from Form What can this tool do? == New test ideas! e.g. ● what does the autoresponder feature let me do? ● What could I use the save as HAR file for? ● etc. @eviltester slides: http://unow.be/at/gtn_tute
Recommended For Self Study @eviltester slides: http://unow.be/at/gtn_tute
Videos & Courses ● Evil Tester Videos on Burp on Youtube ○ www.youtube.com/watch?v=ft5MSmf42Kw ○ www.youtube.com/watch?v=JmAk1OVwp-4 ● ZAP ○ www.youtube.com/watch?v=QG2RCZHMEkM ○ www.youtube.com/user/psiinon?feature=watch ● Technical Web Testing 101 ○ http://unow.be/at/techwebtest101 ○ Free Online Course @eviltester slides: http://unow.be/at/gtn_tute
Books ● The Web Application Hacker's Handbook ○ www.amazon.com/exec/obidos/ASIN/1118026470 ○ www.amazon.co.uk/exec/obidos/ASIN/1118026470 ● Debugging with Fiddler by Eric Lawrence ○ www.amazon.com/exec/obidos/ASIN/1475024487 ○ www.amazon.co.uk/exec/obidos/ASIN/1475024487 @eviltester slides: http://unow.be/at/gtn_tute
Proxies ● BurpSuite ○ http://www.portswigger.net/burp/ ● Fiddler ○ http://www.fiddler2.com/fiddler2/ ● zaproxy (Zed Attack Proxy) ○ http://code.google.com/p/zaproxy/ ● https://twitter.com/zaproxy @eviltester slides: http://unow.be/at/gtn_tute
Apps to test against ● http://google-gruyere.appspot.com/part1 ○ http://google-gruyere.appspot.com/start ● https://hack.me/ ● http://demo.testfire.net/ ● WebGoat ○ http://code.google.com/p/webgoat/ ● Lists of Apps to Test Against ○ http://blog.taddong.com/2011/10/hacking-vulnerableweb-applications.html @eviltester slides: http://unow.be/at/gtn_tute
Q&A @eviltester slides: http://unow.be/at/gtn_tute
Alan Richardson is an Independent Test Consultant based in the UK. He offers training and consultancy in Selenium WebDriver, exploratory and technical web testing. ● uk.linkedin.com/in/eviltester Contact Alan for training and consultancy tailored to your needs: alan@compendiumdev.co.uk Blogs and Websites ● ● ● SeleniumSimplified.com EvilTester.com Testing Papers and Tools ○ CompendiumDev.co.uk Twitter: @eviltester Online Training Courses ● ● ● Technical Web Testing 101 ○ Unow.be/at/udemy101 Intro to Selenium ○ Unow.be/at/udemystart Selenium 2 WebDriver API ○ Unow.be/at/udemyapi Videos youtube.com/user/EviltesterVideos Books Selenium Simplified Unow.be/rc/selsimp

Empfohlen

Lessons Learned When Automating
Lessons Learned When AutomatingLessons Learned When Automating
Lessons Learned When AutomatingAlan Richardson
 
Open source tools - Test Management Summit - 2009
Open source tools - Test Management Summit - 2009Open source tools - Test Management Summit - 2009
Open source tools - Test Management Summit - 2009Alan Richardson
 
Technical Testing Webinar
Technical Testing WebinarTechnical Testing Webinar
Technical Testing WebinarAlan Richardson
 
Evil testers guide to technical testing
Evil testers guide to technical testingEvil testers guide to technical testing
Evil testers guide to technical testingAlan Richardson
 
How to Improve Your Technical Test Ability - AADays 2015 Keynote
How to Improve Your Technical Test Ability - AADays 2015 KeynoteHow to Improve Your Technical Test Ability - AADays 2015 Keynote
How to Improve Your Technical Test Ability - AADays 2015 KeynoteAlan Richardson
 
If you want to automate, you learn to code
If you want to automate, you learn to codeIf you want to automate, you learn to code
If you want to automate, you learn to codeAlan Richardson
 
Technology Based Testing
Technology Based TestingTechnology Based Testing
Technology Based TestingAlan Richardson
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Alan Richardson
 

Empfohlen

Lessons Learned When Automating
Lessons Learned When AutomatingLessons Learned When Automating
Lessons Learned When AutomatingAlan Richardson
 
Open source tools - Test Management Summit - 2009
Open source tools - Test Management Summit - 2009Open source tools - Test Management Summit - 2009
Open source tools - Test Management Summit - 2009Alan Richardson
 
Technical Testing Webinar
Technical Testing WebinarTechnical Testing Webinar
Technical Testing WebinarAlan Richardson
 
Evil testers guide to technical testing
Evil testers guide to technical testingEvil testers guide to technical testing
Evil testers guide to technical testingAlan Richardson
 
How to Improve Your Technical Test Ability - AADays 2015 Keynote
How to Improve Your Technical Test Ability - AADays 2015 KeynoteHow to Improve Your Technical Test Ability - AADays 2015 Keynote
How to Improve Your Technical Test Ability - AADays 2015 KeynoteAlan Richardson
 
If you want to automate, you learn to code
If you want to automate, you learn to codeIf you want to automate, you learn to code
If you want to automate, you learn to codeAlan Richardson
 
Technology Based Testing
Technology Based TestingTechnology Based Testing
Technology Based TestingAlan Richardson
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Alan Richardson
 
Abstraction Layers Test Management Summit Faciliated Session 2014
Abstraction Layers Test Management Summit Faciliated Session 2014Abstraction Layers Test Management Summit Faciliated Session 2014
Abstraction Layers Test Management Summit Faciliated Session 2014Alan Richardson
 
Push Functional Testing Further
Push Functional Testing FurtherPush Functional Testing Further
Push Functional Testing FurtherAlan Richardson
 
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...Alan Richardson
 
Automating Pragmatically - Testival 20190604
Automating Pragmatically - Testival 20190604Automating Pragmatically - Testival 20190604
Automating Pragmatically - Testival 20190604Alan Richardson
 
Practical Test Automation Deep Dive
Practical Test Automation Deep DivePractical Test Automation Deep Dive
Practical Test Automation Deep DiveAlan Richardson
 
Automating Strategically or Tactically when Testing
Automating Strategically or Tactically when TestingAutomating Strategically or Tactically when Testing
Automating Strategically or Tactically when TestingAlan Richardson
 
Add More Security To Your Testing and Automating - Saucecon 2021
Add More Security To Your Testing and Automating - Saucecon 2021Add More Security To Your Testing and Automating - Saucecon 2021
Add More Security To Your Testing and Automating - Saucecon 2021Alan Richardson
 
Automating to Augment Testing
Automating to Augment TestingAutomating to Augment Testing
Automating to Augment TestingAlan Richardson
 
Automating Tactically vs Strategically SauceCon 2020
Automating Tactically vs Strategically SauceCon 2020Automating Tactically vs Strategically SauceCon 2020
Automating Tactically vs Strategically SauceCon 2020Alan Richardson
 
Test Bash Netherlands Alan Richardson "How to misuse 'Automation' for testing...
Test Bash Netherlands Alan Richardson "How to misuse 'Automation' for testing...Test Bash Netherlands Alan Richardson "How to misuse 'Automation' for testing...
Test Bash Netherlands Alan Richardson "How to misuse 'Automation' for testing...Alan Richardson
 
Devfest 2019-slides
Devfest 2019-slidesDevfest 2019-slides
Devfest 2019-slidesAlan Richardson
 
Secrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slidesSecrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slidesAlan Richardson
 
Effective Software Testing for Modern Software Development
Effective Software Testing for Modern Software DevelopmentEffective Software Testing for Modern Software Development
Effective Software Testing for Modern Software DevelopmentAlan Richardson
 
Making cross browser tests beautiful
Making cross browser tests beautifulMaking cross browser tests beautiful
Making cross browser tests beautifulMeaghan Lewis
 
Selenium Clinic Eurostar 2012 WebDriver Tutorial
Selenium Clinic Eurostar 2012 WebDriver TutorialSelenium Clinic Eurostar 2012 WebDriver Tutorial
Selenium Clinic Eurostar 2012 WebDriver TutorialAlan Richardson
 
Joy of Coding Conference 2019 slides - Alan Richardson
Joy of Coding Conference 2019 slides - Alan RichardsonJoy of Coding Conference 2019 slides - Alan Richardson
Joy of Coding Conference 2019 slides - Alan RichardsonAlan Richardson
 
TDD in Go with Ginkgo and Gomega
TDD in Go with Ginkgo and GomegaTDD in Go with Ginkgo and Gomega
TDD in Go with Ginkgo and GomegaEddy Reyes
 
How To Test With Agility
How To Test With AgilityHow To Test With Agility
How To Test With AgilityAlan Richardson
 
Technical and Testing Challenges: Using the "Protect The Square" Game
Technical and Testing Challenges: Using the "Protect The Square" GameTechnical and Testing Challenges: Using the "Protect The Square" Game
Technical and Testing Challenges: Using the "Protect The Square" GameAlan Richardson
 
Odinstar 2017 - Real World Automating to Support Testing
Odinstar 2017 - Real World Automating to Support TestingOdinstar 2017 - Real World Automating to Support Testing
Odinstar 2017 - Real World Automating to Support TestingAlan Richardson
 
Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreJosh Sokol
 
Keynote: My Quest for Silver Bullets
Keynote: My Quest for Silver BulletsKeynote: My Quest for Silver Bullets
Keynote: My Quest for Silver BulletsAlan Richardson
 

Weitere ähnliche Inhalte

Was ist angesagt?

Abstraction Layers Test Management Summit Faciliated Session 2014
Abstraction Layers Test Management Summit Faciliated Session 2014Abstraction Layers Test Management Summit Faciliated Session 2014
Abstraction Layers Test Management Summit Faciliated Session 2014Alan Richardson
 
Push Functional Testing Further
Push Functional Testing FurtherPush Functional Testing Further
Push Functional Testing FurtherAlan Richardson
 
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...Alan Richardson
 
Automating Pragmatically - Testival 20190604
Automating Pragmatically - Testival 20190604Automating Pragmatically - Testival 20190604
Automating Pragmatically - Testival 20190604Alan Richardson
 
Practical Test Automation Deep Dive
Practical Test Automation Deep DivePractical Test Automation Deep Dive
Practical Test Automation Deep DiveAlan Richardson
 
Automating Strategically or Tactically when Testing
Automating Strategically or Tactically when TestingAutomating Strategically or Tactically when Testing
Automating Strategically or Tactically when TestingAlan Richardson
 
Add More Security To Your Testing and Automating - Saucecon 2021
Add More Security To Your Testing and Automating - Saucecon 2021Add More Security To Your Testing and Automating - Saucecon 2021
Add More Security To Your Testing and Automating - Saucecon 2021Alan Richardson
 
Automating to Augment Testing
Automating to Augment TestingAutomating to Augment Testing
Automating to Augment TestingAlan Richardson
 
Automating Tactically vs Strategically SauceCon 2020
Automating Tactically vs Strategically SauceCon 2020Automating Tactically vs Strategically SauceCon 2020
Automating Tactically vs Strategically SauceCon 2020Alan Richardson
 
Test Bash Netherlands Alan Richardson "How to misuse 'Automation' for testing...
Test Bash Netherlands Alan Richardson "How to misuse 'Automation' for testing...Test Bash Netherlands Alan Richardson "How to misuse 'Automation' for testing...
Test Bash Netherlands Alan Richardson "How to misuse 'Automation' for testing...Alan Richardson
 
Secrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slidesSecrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slidesAlan Richardson
 
Effective Software Testing for Modern Software Development
Effective Software Testing for Modern Software DevelopmentEffective Software Testing for Modern Software Development
Effective Software Testing for Modern Software DevelopmentAlan Richardson
 
Making cross browser tests beautiful
Making cross browser tests beautifulMaking cross browser tests beautiful
Making cross browser tests beautifulMeaghan Lewis
 
Selenium Clinic Eurostar 2012 WebDriver Tutorial
Selenium Clinic Eurostar 2012 WebDriver TutorialSelenium Clinic Eurostar 2012 WebDriver Tutorial
Selenium Clinic Eurostar 2012 WebDriver TutorialAlan Richardson
 
Joy of Coding Conference 2019 slides - Alan Richardson
Joy of Coding Conference 2019 slides - Alan RichardsonJoy of Coding Conference 2019 slides - Alan Richardson
Joy of Coding Conference 2019 slides - Alan RichardsonAlan Richardson
 
TDD in Go with Ginkgo and Gomega
TDD in Go with Ginkgo and GomegaTDD in Go with Ginkgo and Gomega
TDD in Go with Ginkgo and GomegaEddy Reyes
 
How To Test With Agility
How To Test With AgilityHow To Test With Agility
How To Test With AgilityAlan Richardson
 
Technical and Testing Challenges: Using the "Protect The Square" Game
Technical and Testing Challenges: Using the "Protect The Square" GameTechnical and Testing Challenges: Using the "Protect The Square" Game
Technical and Testing Challenges: Using the "Protect The Square" GameAlan Richardson
 
Odinstar 2017 - Real World Automating to Support Testing
Odinstar 2017 - Real World Automating to Support TestingOdinstar 2017 - Real World Automating to Support Testing
Odinstar 2017 - Real World Automating to Support TestingAlan Richardson
 

Was ist angesagt? (20)

Abstraction Layers Test Management Summit Faciliated Session 2014
Abstraction Layers Test Management Summit Faciliated Session 2014Abstraction Layers Test Management Summit Faciliated Session 2014
Abstraction Layers Test Management Summit Faciliated Session 2014
 
Push Functional Testing Further
Push Functional Testing FurtherPush Functional Testing Further
Push Functional Testing Further
 
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...
 
Automating Pragmatically - Testival 20190604
Automating Pragmatically - Testival 20190604Automating Pragmatically - Testival 20190604
Automating Pragmatically - Testival 20190604
 
Practical Test Automation Deep Dive
Practical Test Automation Deep DivePractical Test Automation Deep Dive
Practical Test Automation Deep Dive
 
Automating Strategically or Tactically when Testing
Automating Strategically or Tactically when TestingAutomating Strategically or Tactically when Testing
Automating Strategically or Tactically when Testing
 
Add More Security To Your Testing and Automating - Saucecon 2021
Add More Security To Your Testing and Automating - Saucecon 2021Add More Security To Your Testing and Automating - Saucecon 2021
Add More Security To Your Testing and Automating - Saucecon 2021
 
Automating to Augment Testing
Automating to Augment TestingAutomating to Augment Testing
Automating to Augment Testing
 
Automating Tactically vs Strategically SauceCon 2020
Automating Tactically vs Strategically SauceCon 2020Automating Tactically vs Strategically SauceCon 2020
Automating Tactically vs Strategically SauceCon 2020
 
Test Bash Netherlands Alan Richardson "How to misuse 'Automation' for testing...
Test Bash Netherlands Alan Richardson "How to misuse 'Automation' for testing...Test Bash Netherlands Alan Richardson "How to misuse 'Automation' for testing...
Test Bash Netherlands Alan Richardson "How to misuse 'Automation' for testing...
 
Devfest 2019-slides
Devfest 2019-slidesDevfest 2019-slides
Devfest 2019-slides
 
Secrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slidesSecrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slides
 
Effective Software Testing for Modern Software Development
Effective Software Testing for Modern Software DevelopmentEffective Software Testing for Modern Software Development
Effective Software Testing for Modern Software Development
 
Making cross browser tests beautiful
Making cross browser tests beautifulMaking cross browser tests beautiful
Making cross browser tests beautiful
 
Selenium Clinic Eurostar 2012 WebDriver Tutorial
Selenium Clinic Eurostar 2012 WebDriver TutorialSelenium Clinic Eurostar 2012 WebDriver Tutorial
Selenium Clinic Eurostar 2012 WebDriver Tutorial
 
Joy of Coding Conference 2019 slides - Alan Richardson
Joy of Coding Conference 2019 slides - Alan RichardsonJoy of Coding Conference 2019 slides - Alan Richardson
Joy of Coding Conference 2019 slides - Alan Richardson
 
TDD in Go with Ginkgo and Gomega
TDD in Go with Ginkgo and GomegaTDD in Go with Ginkgo and Gomega
TDD in Go with Ginkgo and Gomega
 
How To Test With Agility
How To Test With AgilityHow To Test With Agility
How To Test With Agility
 
Technical and Testing Challenges: Using the "Protect The Square" Game
Technical and Testing Challenges: Using the "Protect The Square" GameTechnical and Testing Challenges: Using the "Protect The Square" Game
Technical and Testing Challenges: Using the "Protect The Square" Game
 
Odinstar 2017 - Real World Automating to Support Testing
Odinstar 2017 - Real World Automating to Support TestingOdinstar 2017 - Real World Automating to Support Testing
Odinstar 2017 - Real World Automating to Support Testing
 

Andere mochten auch

Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreJosh Sokol
 
Keynote: My Quest for Silver Bullets
Keynote: My Quest for Silver BulletsKeynote: My Quest for Silver Bullets
Keynote: My Quest for Silver BulletsAlan Richardson
 
Unconventional Influences
Unconventional InfluencesUnconventional Influences
Unconventional InfluencesAlan Richardson
 
Lessons learned with Bdd: a tutorial
Lessons learned with Bdd: a tutorialLessons learned with Bdd: a tutorial
Lessons learned with Bdd: a tutorialAlan Richardson
 
Daniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolboxDaniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolboxRomania Testing
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionAshraf Bashir
 

Andere mochten auch (8)

Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And More
 
Keynote: My Quest for Silver Bullets
Keynote: My Quest for Silver BulletsKeynote: My Quest for Silver Bullets
Keynote: My Quest for Silver Bullets
 
Unconventional Influences
Unconventional InfluencesUnconventional Influences
Unconventional Influences
 
Lessons learned with Bdd: a tutorial
Lessons learned with Bdd: a tutorialLessons learned with Bdd: a tutorial
Lessons learned with Bdd: a tutorial
 
Daniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolboxDaniel billing exploring the security testers toolbox
Daniel billing exploring the security testers toolbox
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
 
Burp Suite v1.1 Introduction
Burp Suite v1.1 IntroductionBurp Suite v1.1 Introduction
Burp Suite v1.1 Introduction
 
Proxy War
Proxy WarProxy War
Proxy War
 

Ähnlich wie The Evil Tester's Guide to HTTP proxies Tutorial

Confessions of an Accidental Security Tester
Confessions of an Accidental Security TesterConfessions of an Accidental Security Tester
Confessions of an Accidental Security TesterAlan Richardson
 
Test-Driven Development (TDD) in Swift
Test-Driven Development (TDD) in SwiftTest-Driven Development (TDD) in Swift
Test-Driven Development (TDD) in SwiftAmey Tavkar
 
Have you been stalking your servers?
Have you been stalking your servers?Have you been stalking your servers?
Have you been stalking your servers?morpht
 
Have you been stalking your servers?
Have you been stalking your servers?Have you been stalking your servers?
Have you been stalking your servers?Martin Marji Cermak
 
The Evil tester's Guide to Web Testing
The Evil tester's Guide to Web TestingThe Evil tester's Guide to Web Testing
The Evil tester's Guide to Web TestingAlan Richardson
 
Demise of test scripts rise of test ideas
Demise of test scripts rise of test ideasDemise of test scripts rise of test ideas
Demise of test scripts rise of test ideasRichard Robinson
 
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingWordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingAaron Saray
 
EuroPython 2013 - Python3 TurboGears Training
EuroPython 2013 - Python3 TurboGears TrainingEuroPython 2013 - Python3 TurboGears Training
EuroPython 2013 - Python3 TurboGears TrainingAlessandro Molina
 
Toronto mule soft meetup november 2021
Toronto mule soft meetup november 2021Toronto mule soft meetup november 2021
Toronto mule soft meetup november 2021Anurag Dwivedi
 
Tools and libraries for common problems (Early Draft)
Tools and libraries for common problems (Early Draft)Tools and libraries for common problems (Early Draft)
Tools and libraries for common problems (Early Draft)rc2209
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
How to establish ways of working that allows shifting-left of the automation ...
How to establish ways of working that allows shifting-left of the automation ...How to establish ways of working that allows shifting-left of the automation ...
How to establish ways of working that allows shifting-left of the automation ...Max Barrass
 
Protractor End To End Testing For AngularJS
Protractor End To End Testing For AngularJSProtractor End To End Testing For AngularJS
Protractor End To End Testing For AngularJSKnoldus Inc.
 
Release & Iterate Faster: Stop Manual Testing
Release & Iterate Faster: Stop Manual TestingRelease & Iterate Faster: Stop Manual Testing
Release & Iterate Faster: Stop Manual TestingDrew Hannay
 
Android Platform Debugging and Development
Android Platform Debugging and DevelopmentAndroid Platform Debugging and Development
Android Platform Debugging and DevelopmentOpersys inc.
 
Git Basics Workshop Summer of Tech 2010
Git Basics Workshop Summer of Tech 2010Git Basics Workshop Summer of Tech 2010
Git Basics Workshop Summer of Tech 2010Y. Thong Kuah
 
5 cro tools that i can't live without
5 cro tools that i can't live without5 cro tools that i can't live without
5 cro tools that i can't live withoutCraig Sullivan
 

Ähnlich wie The Evil Tester's Guide to HTTP proxies Tutorial (20)

Confessions of an Accidental Security Tester
Confessions of an Accidental Security TesterConfessions of an Accidental Security Tester
Confessions of an Accidental Security Tester
 
Test-Driven Development (TDD) in Swift
Test-Driven Development (TDD) in SwiftTest-Driven Development (TDD) in Swift
Test-Driven Development (TDD) in Swift
 
Tdd in swift
Tdd in swiftTdd in swift
Tdd in swift
 
Have you been stalking your servers?
Have you been stalking your servers?Have you been stalking your servers?
Have you been stalking your servers?
 
Have you been stalking your servers?
Have you been stalking your servers?Have you been stalking your servers?
Have you been stalking your servers?
 
The Evil tester's Guide to Web Testing
The Evil tester's Guide to Web TestingThe Evil tester's Guide to Web Testing
The Evil tester's Guide to Web Testing
 
Demise of test scripts rise of test ideas
Demise of test scripts rise of test ideasDemise of test scripts rise of test ideas
Demise of test scripts rise of test ideas
 
Ui Testing with Ghost Inspector
Ui Testing with Ghost InspectorUi Testing with Ghost Inspector
Ui Testing with Ghost Inspector
 
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingWordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
 
EuroPython 2013 - Python3 TurboGears Training
EuroPython 2013 - Python3 TurboGears TrainingEuroPython 2013 - Python3 TurboGears Training
EuroPython 2013 - Python3 TurboGears Training
 
Toronto mule soft meetup november 2021
Toronto mule soft meetup november 2021Toronto mule soft meetup november 2021
Toronto mule soft meetup november 2021
 
Tools and libraries for common problems (Early Draft)
Tools and libraries for common problems (Early Draft)Tools and libraries for common problems (Early Draft)
Tools and libraries for common problems (Early Draft)
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
 
How to establish ways of working that allows shifting-left of the automation ...
How to establish ways of working that allows shifting-left of the automation ...How to establish ways of working that allows shifting-left of the automation ...
How to establish ways of working that allows shifting-left of the automation ...
 
Development nightmares
Development nightmaresDevelopment nightmares
Development nightmares
 
Protractor End To End Testing For AngularJS
Protractor End To End Testing For AngularJSProtractor End To End Testing For AngularJS
Protractor End To End Testing For AngularJS
 
Release & Iterate Faster: Stop Manual Testing
Release & Iterate Faster: Stop Manual TestingRelease & Iterate Faster: Stop Manual Testing
Release & Iterate Faster: Stop Manual Testing
 
Android Platform Debugging and Development
Android Platform Debugging and DevelopmentAndroid Platform Debugging and Development
Android Platform Debugging and Development
 
Git Basics Workshop Summer of Tech 2010
Git Basics Workshop Summer of Tech 2010Git Basics Workshop Summer of Tech 2010
Git Basics Workshop Summer of Tech 2010
 
5 cro tools that i can't live without
5 cro tools that i can't live without5 cro tools that i can't live without
5 cro tools that i can't live without
 

Mehr von Alan Richardson

The Future of Testing Webinar
The Future of Testing WebinarThe Future of Testing Webinar
The Future of Testing WebinarAlan Richardson
 
Programming katas for Software Testers - CounterStrings
Programming katas for Software Testers - CounterStringsProgramming katas for Software Testers - CounterStrings
Programming katas for Software Testers - CounterStringsAlan Richardson
 
About Consultant Alan Richardson Compendium Developments Evil Tester
About Consultant Alan Richardson Compendium Developments Evil TesterAbout Consultant Alan Richardson Compendium Developments Evil Tester
About Consultant Alan Richardson Compendium Developments Evil TesterAlan Richardson
 
Automating and Testing a REST API
Automating and Testing a REST APIAutomating and Testing a REST API
Automating and Testing a REST APIAlan Richardson
 
TDD - Test Driven Development - Java JUnit FizzBuzz
TDD - Test Driven Development - Java JUnit FizzBuzzTDD - Test Driven Development - Java JUnit FizzBuzz
TDD - Test Driven Development - Java JUnit FizzBuzzAlan Richardson
 
Your Automated Execution Does Not Have to be Flaky
Your Automated Execution Does Not Have to be FlakyYour Automated Execution Does Not Have to be Flaky
Your Automated Execution Does Not Have to be FlakyAlan Richardson
 
What is Testability vs Automatability? How to improve your Software Testing.
What is Testability vs Automatability? How to improve your Software Testing.What is Testability vs Automatability? How to improve your Software Testing.
What is Testability vs Automatability? How to improve your Software Testing.Alan Richardson
 
What is Agile Testing? A MindMap
What is Agile Testing? A MindMapWhat is Agile Testing? A MindMap
What is Agile Testing? A MindMapAlan Richardson
 
Evil Tester's Guide to Agile Testing
Evil Tester's Guide to Agile TestingEvil Tester's Guide to Agile Testing
Evil Tester's Guide to Agile TestingAlan Richardson
 
The Evil Tester Show - Episode 001 Halloween 2017
The Evil Tester Show - Episode 001 Halloween 2017The Evil Tester Show - Episode 001 Halloween 2017
The Evil Tester Show - Episode 001 Halloween 2017Alan Richardson
 
What is Regression Testing?
What is Regression Testing?What is Regression Testing?
What is Regression Testing?Alan Richardson
 
Simple ways to add and work with a `.jar` file in your local maven setup
Simple ways to add and work with a `.jar` file in your local maven setupSimple ways to add and work with a `.jar` file in your local maven setup
Simple ways to add and work with a `.jar` file in your local maven setupAlan Richardson
 
Re-thinking Test Automation and Test Process Modelling (in pictures)
Re-thinking Test Automation and Test Process Modelling (in pictures)Re-thinking Test Automation and Test Process Modelling (in pictures)
Re-thinking Test Automation and Test Process Modelling (in pictures)Alan Richardson
 
Learning in Public - A How to Speak in Public Workshop
Learning in Public - A How to Speak in Public WorkshopLearning in Public - A How to Speak in Public Workshop
Learning in Public - A How to Speak in Public WorkshopAlan Richardson
 
How to Practise to Remove Fear of Public Speaking
How to Practise to Remove Fear of Public SpeakingHow to Practise to Remove Fear of Public Speaking
How to Practise to Remove Fear of Public SpeakingAlan Richardson
 

Mehr von Alan Richardson (16)

The Future of Testing Webinar
The Future of Testing WebinarThe Future of Testing Webinar
The Future of Testing Webinar
 
Programming katas for Software Testers - CounterStrings
Programming katas for Software Testers - CounterStringsProgramming katas for Software Testers - CounterStrings
Programming katas for Software Testers - CounterStrings
 
About Consultant Alan Richardson Compendium Developments Evil Tester
About Consultant Alan Richardson Compendium Developments Evil TesterAbout Consultant Alan Richardson Compendium Developments Evil Tester
About Consultant Alan Richardson Compendium Developments Evil Tester
 
Shift left-testing
Shift left-testingShift left-testing
Shift left-testing
 
Automating and Testing a REST API
Automating and Testing a REST APIAutomating and Testing a REST API
Automating and Testing a REST API
 
TDD - Test Driven Development - Java JUnit FizzBuzz
TDD - Test Driven Development - Java JUnit FizzBuzzTDD - Test Driven Development - Java JUnit FizzBuzz
TDD - Test Driven Development - Java JUnit FizzBuzz
 
Your Automated Execution Does Not Have to be Flaky
Your Automated Execution Does Not Have to be FlakyYour Automated Execution Does Not Have to be Flaky
Your Automated Execution Does Not Have to be Flaky
 
What is Testability vs Automatability? How to improve your Software Testing.
What is Testability vs Automatability? How to improve your Software Testing.What is Testability vs Automatability? How to improve your Software Testing.
What is Testability vs Automatability? How to improve your Software Testing.
 
What is Agile Testing? A MindMap
What is Agile Testing? A MindMapWhat is Agile Testing? A MindMap
What is Agile Testing? A MindMap
 
Evil Tester's Guide to Agile Testing
Evil Tester's Guide to Agile TestingEvil Tester's Guide to Agile Testing
Evil Tester's Guide to Agile Testing
 
The Evil Tester Show - Episode 001 Halloween 2017
The Evil Tester Show - Episode 001 Halloween 2017The Evil Tester Show - Episode 001 Halloween 2017
The Evil Tester Show - Episode 001 Halloween 2017
 
What is Regression Testing?
What is Regression Testing?What is Regression Testing?
What is Regression Testing?
 
Simple ways to add and work with a `.jar` file in your local maven setup
Simple ways to add and work with a `.jar` file in your local maven setupSimple ways to add and work with a `.jar` file in your local maven setup
Simple ways to add and work with a `.jar` file in your local maven setup
 
Re-thinking Test Automation and Test Process Modelling (in pictures)
Re-thinking Test Automation and Test Process Modelling (in pictures)Re-thinking Test Automation and Test Process Modelling (in pictures)
Re-thinking Test Automation and Test Process Modelling (in pictures)
 
Learning in Public - A How to Speak in Public Workshop
Learning in Public - A How to Speak in Public WorkshopLearning in Public - A How to Speak in Public Workshop
Learning in Public - A How to Speak in Public Workshop
 
How to Practise to Remove Fear of Public Speaking
How to Practise to Remove Fear of Public SpeakingHow to Practise to Remove Fear of Public Speaking
How to Practise to Remove Fear of Public Speaking
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 

Kürzlich hochgeladen (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 

The Evil Tester's Guide to HTTP proxies Tutorial

  • 1. The Evil Tester's Guide to HTTP Proxies A Tutorial for TestNet May 2013 Alan Richardson @eviltester www.eviltester.com www.compendiumdev.co.uk www.seleniumsimplified.com @eviltester slides: http://unow.be/at/gtn_tute
  • 2. Logistics ● 09:30 ● xx:xx half hour break ● 13:00 Only 3 hours! 1st Hour: Theory & Modern Browsers ● 20 mins Intro, basic theory ● 5 Mins 'Modern Browsers ● 5 Mins Demo ● 15 minutes browser exercise ● 15 minutes debrief 2nd Hour: BurpSuite ● 10 mins Introduction to proxies ● 20 mins BurpSuite overview ● 15 minutes BurpSuite Exercise ● 15 minutes BurpSuite debrief and questions 3rd Hour: Fiddler & End Notes ● 15 mins fiddler overview ● 15 minute Exercise ● 15 minute debrief and questions ● 10 minute end notes ● 5 minutes Q&A @eviltester slides: http://unow.be/at/gtn_tute
  • 3. Blurb: Evil Tester guide - HTTP proxies I test a lot of web applications. I use proxy servers to interrogate and manipulate web traffic. So in this tutorial I want to introduce you to the basics of proxy servers, using BurpSuite and Fiddler. We will cover and go beyond the obvious interrogation and manipulation traffic and also look at how to use autoresponders, custom rules and traffic generators. The different capabilities of the tools and how to use them in combination. And as a bonus we will look at the new features in modern browsers that help you achieve some of the proxy benefits out of the box, for those moments when you have to test unarmed. As well as the tools I want to cover the thought processes and models that help you get the best from the tools because "Form can follow features" and "Terrain can inform technique". @eviltester slides: http://unow.be/at/gtn_tute
  • 4. Technical Web Testing: A Model @eviltester slides: http://unow.be/at/gtn_tute
  • 6. The MORIM Loop - Model ● Model ○ ● ● ● ● Build a layered model of the application functionality, flows, technology usage, etc. Observe Reflect Interrogate Manipulate @eviltester slides: http://unow.be/at/gtn_tute
  • 7. The MORIM Loop - Observe ● Model ● Observe ○ ○ ○ ○ At every layer, what can you see? Can you increase the depth of observation. Do you understand what you see? What else could you observe? ● Reflect ● Interrogate @eviltester slides: http://unow.be/at/gtn_tute
  • 8. The MORIM Loop - Reflect ● Model ● Observe ● Reflect ○ ○ ○ ○ ○ Expand the model, Intent - for deliberate action Analyse the observations What does that imply? How? Risks? What else? When? ● Interrogate @eviltester ● Manipulate slides: http://unow.be/at/gtn_tute
  • 9. The MORIM Loop - Interrogate ● ● ● ● Model Observe Reflect Interrogate ○ ○ ○ ○ Deep dive into observed data Breakpoint Correlate data changes with state etc. ● Manipulate @eviltester slides: http://unow.be/at/gtn_tute
  • 10. The MORIM Loop - Manipulate ● ● ● ● ● Model Observe Reflect Interrogate Manipulate ○ ○ ○ ○ @eviltester Edit the data Change the state Edit the communication Change the environment context e.g. speed, memory, etc. slides: http://unow.be/at/gtn_tute
  • 11. The MORIM Loop - Utilisation ● ● ● ● ● Repeat Transpose - do the events in any order Learn Deliberately decide what to try next Do it - take advantage of what happens @eviltester slides: http://unow.be/at/gtn_tute
  • 12. During all the exercises; Consider: Observation ● What are you observing. What are you not observing. What do you want to observe? Why? Interrogation ● What do you want to see in more detail? How can you do that? Why? Manipulation ● What do you want to amend? How could you? Why? @eviltester slides: http://unow.be/at/gtn_tute
  • 14. High Level Generic Architecture Browser Server Traffic <-HTTP-> ● ● ● ● ● ● ● ● ● ● @eviltester client side state Cookie Management Local Storage HTML rendering JavaScript Execution etc. ● ● ● forms XML JSON etc. ● Web Server App Server Database server side state slides: http://unow.be/at/gtn_tute
  • 16. Modern Browsers ● Dev Tools ● Observe Network Traffic ● Interrogate & Manipulate ○ DOM ○ Data - cookies, local storage ● Differing capabilities between browsers "Don't get hung up on 'I need to test on BrowserX' - use them all, even while you focus on BrowserX" @eviltester slides: http://unow.be/at/gtn_tute
  • 17. Quick Demo of Modern Browser ● Interrogate Dom? ● Manipulate Dom? ● Observe Cookies? ● Interrogate Cookies? ● Manipulate Cookies? ● Observe Network Traffic? ● Interrogate Traffic? ● Manipulate Traffic? @eviltester slides: http://unow.be/at/gtn_tute
  • 18. Augment Browsers ● Out of the box experience continually improves ● Use browser plugins to increase the functionality of the browser even further @eviltester slides: http://unow.be/at/gtn_tute
  • 19. Gruyere - Cloud app to test against A Google App Engine hosted application to learn security testing for common vulnerabilities. Read the Instructions ● http://google-gruyere.appspot.com/ Create a new instance ● http://google-gruyere.appspot.com/start @eviltester slides: http://unow.be/at/gtn_tute
  • 20. For local App Testing ● WebGoat ○ http://code.google.com/p/webgoat/ Or anything from BitNami bitnami.org
  • 21. Modern Browser Exercise 1. Decide on a browser: IE, Firefox, Opera, Chrome 2. Find the Dev Tools in the browser 3. Visit http://google-gruyere.appspot.com/start 4. Explore and investigate the Browser capabilities using this app 5. Debrief in 15 mins ● What "Observe, Interrogate, Manipulate" capabilities did the browser have? ● What did you want them to have? ● Other thoughts? @eviltester slides: http://unow.be/at/gtn_tute
  • 22. For full control, Use a Proxy... @eviltester slides: http://unow.be/at/gtn_tute
  • 24. What is an HTTP Proxy? ● Sits between browser and server ● route all requests through the proxy Browser -> Request -> Proxy -> Server Browser <- Proxy <- Response <- Server Https handled by 'man in the middle' certificate use. @eviltester slides: http://unow.be/at/gtn_tute
  • 25. Why should a tester care? ● Learn ○ HTTP ○ JSON ○ App Architecture ● ● ● ● Observe & Manipulate Traffic Simulate Network Speeds Simulate different browsers Test new css and js without a release to main site ● Test extreme '4xx', '5xx' conditions @eviltester slides: http://unow.be/at/gtn_tute
  • 26. When should you use it? ● Almost all the time @eviltester slides: http://unow.be/at/gtn_tute
  • 27. When should you not use it? ● confirm a defect happens without the proxy ● streaming? ● long polling? A proxy is invasive, and can impact your results. So you need to double check your results without the proxy. But the value trumps the risk. @eviltester slides: http://unow.be/at/gtn_tute
  • 30. Proxies we will cover today ● BurpSuite ● Fiddler ● Capabilites ● Demos ● Exercises @eviltester slides: http://unow.be/at/gtn_tute
  • 31. Generic Testing Requirements Traffic {Request, Response} CRUD ● Create - Generate new requests ● Read - Observe Traffic ○ Requests ○ Responses ● Update ○ Manipulate Requests & Responses ■ Manually ■ Automatically ○ Replay Requests ● Delete - block requests or responses @eviltester slides: http://unow.be/at/gtn_tute
  • 33. Configure Browser to use a Proxy ● Chrome, IE all use the System Internet Settings ● Firefox and Opera can maintain proxy settings independently of system settings
  • 34. Configure Chrome to use a Proxy ● ChromeSettings search for proxy ● Use the normal system proxy settings ● Chrome Incognito and normal mode share proxy settings
  • 35. Configure Firefox to use a Proxy ● FirefoxOptions ○ AdvancedNetwork ■ Connection [Settings...] ■ Manual proxy configuration: ■ use value listed in ProxyOptions Listeners ■ ignore the "No Proxy For" ● If you already configured IE or Chrome then you could use System Proxy Settings
  • 36. Configure Opera to use a Proxy ● SettingsPreferences ○ AdvancedNetwork ○ [Proxy Servers...] ○ use config from ProxyOptions ● F12 can quickly toggle proxy on off once configured
  • 37. Configure IE to use a Proxy ● Config options ○ Connections ■ Lan settings ● Use Proxy Server ○ use details from ProxyOptions
  • 38. You may be asked about proxy certificate (BurpSuite portswigger) ● Adhoc - Add it as an exception ● To remove exception ○ Firefox ■ OptionsAdvancedEncryption ■ view certificates ● servers (PortSwigger) ○ Chrome ■ Settings search for manage certificates ○ Opera ■ Preferences ● ● AdvancedSecurity Manage Certificates... ○ IE ■ Config Internet Options Content [Certificates]
  • 40. What is BurpSuite? ● Java based Proxy ● Professional and Free License ○ Pro designed for security professionals ○ Free version usually good enough for testing ● Book: "The Web Application Hacker's Handbook" ● http://portswigger.net/burp/download.html @eviltester slides: http://unow.be/at/gtn_tute
  • 41. Basic Features For Testing ● ● ● ● ● ● Proxy Spider Repeater Sequencer Decoder Comparer @eviltester slides: http://unow.be/at/gtn_tute
  • 42. How to Install & Run ● Download the .jar file ○ http://portswigger.net/burp/download.html ● Double click or "java -jar burpsuite_free_vx. x.jar" ○ where x.x is the version you downloaded @eviltester slides: http://unow.be/at/gtn_tute
  • 43. BurpSuite Basics ● ● ● ● ● ● ● ● ● ● Tabbed GUI ProxyOptions Configure Browser Intercept Obeserve with History Tab Repeater to replay and manipulate Site Map Spider Decoder Intruder - variety of params @eviltester slides: http://unow.be/at/gtn_tute
  • 44. Exercise - explore tool and proxy capabilities ● 20 mins explore, 10 mins debrief ● Use BurpSuite on guyere ○ ○ ○ ○ ○ Setup the proxy Config browser to point to browser Choose a site and browse View the Traffic View sitemap ■ visit pages you haven't been that sitemap found ○ Repeat requests ○ Tamper Traffic ○ do any of the pages lend themselves to sequencing? @eviltester slides: http://unow.be/at/gtn_tute
  • 47. What is Fiddler? ● .net based (v2 & v4) ● http://www.fiddler2.com/ ● now owned by Teleric @eviltester slides: http://unow.be/at/gtn_tute
  • 48. Obvious Differences ● Automatically hooks into Windows System Proxy ○ IE & Chrome use by default without configuration ○ This makes it good for beginners ● HTTPS decryption off by default ○ Tools Fiddler Options ■ HTTPS tab ● @eviltester Decrypt HTTPS traffic slides: http://unow.be/at/gtn_tute
  • 49. Fiddler Extensions ● www.fiddler2.com/fiddler2/extensions.asp ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ @eviltester ○ Formatters Windows 8 "Metro" Android & iOS Certificate maker Request Differ SAZ Clipboard Util Geo spoofing Rules Editor Privacy Scanner Performance Tester Helper Stress Testing Security Testing - Watcher & Ammonite & X5s Fuzzing - intruder21 slides: http://unow.be/at/gtn_tute etc.
  • 50. Fiddler Basics ● ● ● ● ● ● ● ● ● ● ● ● Firefox Hook "Tools Monitor with Fiddler" WebSessions Pane - History Statistics Tab Inspectors Tab AutoResponder Tab Composer Tab Filters Tab Timeline Tab Config Options Decode with TextWizard Replay Export Sessions
  • 51. Exercise - explore proxy functionality and compare with BurpSuite ● ● ● ● Any new functionality I didn't mention? Which is easier? Any missing functionality? Can you chain proxies? @eviltester slides: http://unow.be/at/gtn_tute
  • 53. Isn't this just Security Testing? Yes, No? Opinions? @eviltester slides: http://unow.be/at/gtn_tute
  • 54. Observation & Manipulation Comments on what you observed? ● What didn't you observe? ● What did you want to observe? ● What could you not observe? Comments on Manipulation? ● What did you manipulate? ● What did you want to manipulate? ● What could you not manipulate? @eviltester slides: http://unow.be/at/gtn_tute
  • 55. What makes a difference? You can manipulate a whole bunch of things, why would you want to manipulate the: ● ● ● ● ● Header? Body? Request URI? Params? Payload? @eviltester slides: http://unow.be/at/gtn_tute
  • 56. Inspiration from Form What can this tool do? == New test ideas! e.g. ● what does the autoresponder feature let me do? ● What could I use the save as HAR file for? ● etc. @eviltester slides: http://unow.be/at/gtn_tute
  • 58. Videos & Courses ● Evil Tester Videos on Burp on Youtube ○ www.youtube.com/watch?v=ft5MSmf42Kw ○ www.youtube.com/watch?v=JmAk1OVwp-4 ● ZAP ○ www.youtube.com/watch?v=QG2RCZHMEkM ○ www.youtube.com/user/psiinon?feature=watch ● Technical Web Testing 101 ○ http://unow.be/at/techwebtest101 ○ Free Online Course @eviltester slides: http://unow.be/at/gtn_tute
  • 59. Books ● The Web Application Hacker's Handbook ○ www.amazon.com/exec/obidos/ASIN/1118026470 ○ www.amazon.co.uk/exec/obidos/ASIN/1118026470 ● Debugging with Fiddler by Eric Lawrence ○ www.amazon.com/exec/obidos/ASIN/1475024487 ○ www.amazon.co.uk/exec/obidos/ASIN/1475024487 @eviltester slides: http://unow.be/at/gtn_tute
  • 60. Proxies ● BurpSuite ○ http://www.portswigger.net/burp/ ● Fiddler ○ http://www.fiddler2.com/fiddler2/ ● zaproxy (Zed Attack Proxy) ○ http://code.google.com/p/zaproxy/ ● https://twitter.com/zaproxy @eviltester slides: http://unow.be/at/gtn_tute
  • 61. Apps to test against ● http://google-gruyere.appspot.com/part1 ○ http://google-gruyere.appspot.com/start ● https://hack.me/ ● http://demo.testfire.net/ ● WebGoat ○ http://code.google.com/p/webgoat/ ● Lists of Apps to Test Against ○ http://blog.taddong.com/2011/10/hacking-vulnerableweb-applications.html @eviltester slides: http://unow.be/at/gtn_tute
  • 63. Alan Richardson is an Independent Test Consultant based in the UK. He offers training and consultancy in Selenium WebDriver, exploratory and technical web testing. ● uk.linkedin.com/in/eviltester Contact Alan for training and consultancy tailored to your needs: alan@compendiumdev.co.uk Blogs and Websites ● ● ● SeleniumSimplified.com EvilTester.com Testing Papers and Tools ○ CompendiumDev.co.uk Twitter: @eviltester Online Training Courses ● ● ● Technical Web Testing 101 ○ Unow.be/at/udemy101 Intro to Selenium ○ Unow.be/at/udemystart Selenium 2 WebDriver API ○ Unow.be/at/udemyapi Videos youtube.com/user/EviltesterVideos Books Selenium Simplified Unow.be/rc/selsimp