Test-suite for a password protected website
David Dick
david_dick at iprimus.com.au
Thu Dec 25 02:00:24 CST 2003
Interesting problem that i have encountered.
If i have the time, it's good to be able to automatically and quickly
validate a system's integrity by having a automated test suite (using
something like Test::Harness, etc). However, from a security viewpoint,
how do people cope with username / passwords. I seem to have hit a bit
of a roadblock, in that i can test the business logic of a system
easily, but to be able to say
ok($response->code() eq '200', "My password protected web page is
operational");
i think i need to either
1) embed a valid username / password into the test script.
This seems just awful, more so if i want to package something up and
release it
2) store my passwords in a decryptable format and decrypt a suitable one
when the time comes
This seems a bit better but where do i store the decryption keys, and
how secure is a system that you can decrypt passwords anyway?
3) prompt for the username / password when the script runs
This of course makes it impossible to run without human intervention (or
Expect, in which case we have returned to 1.)
4) disable username / password requirements during testing
Fine, except for a live environment
Personally i think option 3 is the best compromise i can think of, as it
does not require any passwords to be included in the test-suite or
accessible from the test suite and if automation is desired then you can
use Expect.
Has anyone come up with a cool way of cracking this particular nut, or
is it an area that just requires tradeoffs?
More information about the Melbourne-pm
mailing list