This patch depends on the patches in ticket:11 and ticket:12
This patch improves the form fuzzing ability of tarantula by allowing a crawler to have multiple "fuzzers" just as it can have multiple reporters and handlers. FormSubmission is the default fuzzer so everything works like before by default. For my needs I added XssFormSubmission and XssDocumentCheckerHandler which work together to perform rudimentary XSS checking while crawling.
I also added a times_to_crawl field to the crawler that defaults to 1. This is necessary so that the entire site gets crawled after fuzzed data has been submitted to every form, and no pages that could possibly contain bad data get missed.
Here's a small example of what I do in my tests:
t = tarantula_crawler(self, :verbose => true)
t.skip_uri_patterns << /session/ << /users/
Relevance::Tarantula::XssFormSubmission.attacks = @attacks
t.fuzzers = [Relevance::Tarantula::XssFormSubmission]
t.handlers << Relevance::Tarantula::XssDocumentCheckerHandler.new(@attacks)
t.times_to_crawl = 2
t.crawl
where @attacks is an array of hashes, each hash of the form:
{
'name' => 'name of the XSS attack',
'code' => 'some text to submit that should be escaped by the app',
'desc' => 'description of the attack that will show up in reports'
}
I use http://ha.ckers.org/xss.html to get my list of attacks.
The crawler iterates over the fuzzers calling 'mutate' and passing in the form. The XssFormSubmission fuzzer will return an array of form_submissions each with all of the fields filled in from one attack (except selects, because of date_select issues).
I also had to comment out the xss-shield stuff as it defeated the purpose of XSS testing by modifying the app to escape strings in templates.
It's pretty basic right now, but hopefully it will be useful to others.
