Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
In a ASP.NET MVC along with a test case project,
How does someone create a test case to test against existing security exploits on a controller method?
For example, how do you create a test case for a call that need anti-forgery token? Or XSS?
The best way to test for XSS is by using a specialized tool for testing for these types of vulnerabilities. Wapiti and w3af are both good open source tools that can test for XSS, SQL Injection and worse vulnerabilities. Acunetix is easy to use but it is expensive, however the free edition will only test for XSS which is what you need:
http://www.acunetix.com/cross-site-scripting/scanner.htm
I believe that by “anti-forgery tolken” you are referring to an XSRF protection system. I don’t believe that an automated test can be created against XSRF. XSRF has absolutely nothing to do with the type of data being sent in a request, but rather where it is coming from. Tools have been written to test for XSRF and w3af has one of these tests. However every automated XSRF test I have seen is COMPLETELY WORTHLESS. If you want XSRF test done right you have to do it your self:
http://www.owasp.org/index.php/Testing_for_CSRF_%28OWASP-SM-005%29