Zero-configuration, automated, random testing tools for web-apps?

Asked 22/1, 2010 at 18:8 Answered 8/6, 2023 at 14:50

testing web-applications automated-tests firefox-addon

In short, I'm looking for a tool to perform an automated, zero-configuration, full-frontal assault on a web application.

I'm thinking this would logically be a browser-extension that both crawls links on a given domain/path, AND randomly inputs data into forms and submits them. Specifically, form input would randomly include various data types, special characters, excessive data, various character encodings, and null values. Multithreading is a necessity (perhaps one plugin simply utilizing multiple Firefox tabs).

The tool does NOT (and should not) need to make any assertions about the results, or verify any application behavior. Instead, the persistence layer (DB records, etc) and applications logs would be used to evaluate the results of this "testing effort."

This would be a tool to complement existing testing tools (Selenium, QuickTestPro) and methodologies that may not have 100% coverage.

Any suggestions for existing or in-development tools? If not, I am eager to start an open-source project.

CLARIFICATION: I am specifically not looking for a penetration testing tool.

UPDATE: I have founded an open source project to satisfy this question. See comments below.

Gwyngwyneth answered 22/1, 2010 at 18:8 Comment(1)

Since there has not been a satisfactory suggestion up until this point, I have founded the FuzzyFox project for Firefox: code.google.com/p/fuzzyfox – Gwyngwyneth 1/2, 2010 at 21:34

I used the trial of Acunetix for a while. It seemed reasonably effective, although it took longer than I thought it ought to and it's certainly not open source.

I forgot what the thing was called, and this list at SoftwareQATest is where I found it again. That list may be useful to you. The list of testing tools at OWASP looks similarly handy.

Bracken answered 25/1, 2010 at 12:3 Comment(3)

As I stated in my reply to Toby's answer, I'm specifically NOT looking for a penetration testing tool, nor am I interested in having the tool evaluate any "results." I'm giving you a point for that first list though, even though I couldn't find anything relevant on it. – Gwyngwyneth 25/1, 2010 at 13:48

And yet, "randomly input data [...] include various data types, special characters, excessive data, various character encodings, and null values" is exactly what a web-based pen-testing tool will do. – Bracken 25/1, 2010 at 23:30

"and it's certainly not open source" Oh no, how could it possibly be useful then. – Lilly 1/2, 2010 at 17:1

It sounds like a fuzz testing tool may be what you need; tools like Wapiti will scan your app looking for parameterized URLs and forms to fill out, and use randomly generated data to exercise them.

Here is a good list of web app fuzzing tools.

Ophthalmoscope answered 27/1, 2010 at 17:3 Comment(1)

Fuzzing is definitely the term for what I'm looking for, but none of the tools I can find (that describe themselves as such) offer the basic features that I'm looking for. They're too focused on security, producing narrowly defined inputs, and analyzing the application's response. I'm more interested in simulating an insane user, not a malicious one. – Gwyngwyneth 29/1, 2010 at 16:9

What about paros? http://www.parosproxy.org/functions.shtml

Proportioned answered 23/1, 2010 at 0:7 Comment(1)

I just installed Paros and tried it against my project. Penetration testing is specifically not my goal, but the tool's capabilities are in line with what I'm looking for... the input behavior would just need to be changed. – Gwyngwyneth 23/1, 2010 at 6:54

I'm not sure I've came across anyting that fits the bill exactly, but Sulley is fairly close...

http://code.google.com/p/sulley/

I've never used it first hand, but I've heard it mentioned. Additionally, perhaps check this out:

http://www.owasp.org/index.php/Category:OWASP_JBroFuzz

Snyder answered 1/2, 2010 at 16:58 Comment(1)

I tried both of those through keturn's answer, and neither was quite right. It looks like I'll be rolling my own solution as an open source Firefox plugin in the near future. Thanks though! – Gwyngwyneth 1/2, 2010 at 21:23

Better late than never, I have just released a monkey-testing web service that I think fits the bill:

https://elsetest.com

It clicks links and inputs random words, long paragraphs, emails, passwords, phone numbers, dates, special characters, Javascript etc. It deletes inputs, clicks buttons, checkboxes & radio buttons and selects from dropdowns. It also clicks randomly all over the page.

For years I have been using a similar approach at our company web site. It is quite comforting to let the monkey-testing run for a couple of hours, either some unexpected bugs show up or you feel a bit more at ease to schedule a new release.

I'm hoping others may find it useful as well.

Disclaimer: I am the founder of Elsetest and as of June 2023 it is an early release.

Keefe answered 8/6, 2023 at 14:50 Comment(0)

Recommended topics

Hot tags