Test-suite for a password protected website

David Dick david_dick at iprimus.com.au
Thu Dec 25 02:00:24 CST 2003

Interesting problem that i have encountered. 

If i have the time, it's good to be able to automatically and quickly 
validate a system's integrity by having a automated test suite (using 
something like Test::Harness, etc).  However, from a security viewpoint, 
how do people cope with username / passwords.  I seem to have hit a bit 
of a roadblock, in that i can test the business logic of a system 
easily, but to be able to say

ok($response->code() eq '200', "My password protected web page is 

i think i need to either

1) embed a valid username / password into the test script.

This seems just awful, more so if i want to package something up and 
release it

2) store my passwords in a decryptable format and decrypt a suitable one 
when the time comes

This seems a bit better but where do i store the decryption keys, and 
how secure is a system that you can decrypt passwords anyway?

3) prompt for the username / password when the script runs

This of course makes it impossible to run without human intervention (or 
Expect, in which case we have returned to 1.)

4) disable username / password requirements during testing

Fine, except for a live environment

Personally i think option 3 is the best compromise i can think of, as it 
does not require any passwords to be included in the test-suite or 
accessible from the test suite and if automation is desired then you can 
use Expect.

Has anyone come up with a cool way of cracking this particular nut, or 
is it an area that just requires tradeoffs?

More information about the Melbourne-pm mailing list