1

Setting the context: We have an internal app that started out as a web application, but now uses the windows desktop model instead of the browser for rendering. So instead of opening in browsers, the web app opens in modeless windows that are coded in C#. The user has to install a small exe to setup the modeless windows.

You would be clicking custom built toolbars (instead of the File, Edit, View options etc) and those will launch modeless windows and trigger an HTML request. The reponse will be rendered in the modeless window.

Issue: we used to security test using Appscan when it was a pure browser application. We also use pen testers. However, Appscan doesn't work with the modeless windows model. It only manages to capture the first request (which is usually the login request). Would you happen to know of any tool or testing framework/model that can security test this kind of an app?

I did try to look at relevant links, but they all seem to point to pure browser based web testing. Like this one: Web application security testing

Thanks in advance!

Edit: An example - have a look at http://samples.msdn.microsoft.com/workshop/samples/author/dhtml/refs/showModelessDialog.htm How would I get appscan to scan the request response in the modeless windows.

Community
  • 1
  • 1
WaveRider
  • 19
  • 3
  • what? what kind of security stuff are you after? is the application a winforms application? I don't understand what you expect to receive as an answer here. – Federico Berasategui Jan 29 '13 at 20:51
  • The application started off as a pure web application with a HTML/ JSP/ JAVA / WEBSPHERE back end. However, the content was too heavy to render in the default IE browser, so we modified it to use the desktop windows for rendering. That's the only change (to speed up the performance on the client computers). However, this seems to have flummoxed appscan. If i use fiddler 2, it captures the requests and responses. However, appscan cannot explore and test this application now.
    We're looking to do a complete commercial security test of the app     – WaveRider Jan 29 '13 at 20:58
  • "desktop windows" doesn't tell me which UI technology you used. Also, I don't understand how having such sort of dumb application that only sends and receives web requests from a server is going to speed up anything. If you need a desktop application you have to do a desktop application. – Federico Berasategui Jan 29 '13 at 21:13
  • The Desktop UI is coded in C#. It uses the System.Windows.Forms. The issue was that there was a lot of processing activity and data on the client side. (you'd have 1000+ rows fetched from the appserver and it was a requirement that they all be shown on the UI. The browser couldn't handle that kind of activity). From what I see, I don't think this has been done before so it may take a bit of explaining. Thanks for you patience. If you have questions, I'll answer them. – WaveRider Jan 29 '13 at 21:29
  • I still don't see what kind of security tests you expect. "security" is a very broad term and it doesn't tell me what kind of tests you expect. Desktop applications are very different from web applications (in the sense that there's no such thing as script injection, xss, etc in Winforms applications) – Federico Berasategui Jan 29 '13 at 21:32
  • If I had my web app opening in Ie modeless windows like this: http://samples.msdn.microsoft.com/workshop/samples/author/dhtml/refs/showModelessDialog.htm, how would I run the security test. I would need to test for script injection, xss in the modeless windows. – WaveRider Jan 29 '13 at 21:33
  • You still don't seem to understand... **There's no such thing as request/response in Winforms!** – Federico Berasategui Jan 29 '13 at 21:35
  • Win Form has a web browser control in it that displays the web pages from the server. Look at it like the Online Help that opens up in Visual Studio, in my case i have multiple forms (with web browser controls) opening up multiple web pages. – WaveRider Jan 29 '13 at 21:38
  • So we're back to the same point. Your application is a dumb terminal that does nothing except showing web pages. Whatever web pages are opened in the application can also be opened in any browser such as I.E or chrome. To test the web page with whatever software that expects a browser opening a web page, simply open the web page in the browser instead. My point still stands that this will in no way improve performance, and it is not a "Real" desktop application in the strict sense. – Federico Berasategui Jan 29 '13 at 21:41
  • I agree. This is essentially a web application that is launched using an exe file that spawns forms with web browser controls. Unfortunately, this can't be testing using the standard browsers as the entry point has changed to the exe form. The performance here, is not related to the server - which will be unaffected, but the rendering of huge amounts of data on the client machine. – WaveRider Jan 30 '13 at 14:49
  • putting the "browser" in a winforms is not going to make it render faster. On the contrary, winforms itself is one of the slowest pieces of software ever. take a look at [this comment](http://stackoverflow.com/questions/14565773/improving-winforms-performance-with-large-number-of-controls/14566539#comment20386098_14566539) – Federico Berasategui Jan 30 '13 at 14:55

1 Answers1

0

What needs to be tested (for security) beyond the login? You've essentially created a dumb terminal that passes commands to a server and renders responses from that server.

If you really need some automated tester to work, then create a command-line switch for your EXE (dumbtermina.exe /test) that renders a regular windows form with simple buttons that simulate all of the menu and other commands.

Louis Ricci
  • 20,804
  • 5
  • 48
  • 62
  • Thanks for your reply! The terminal is a System.Windows.Forms type. It is also updated based on the response. The menu items change, the options on display are shown based on the user's role. So far, it does look like we may have to modify the exe to allow for such testing. I tried uploading a snapshot, but it looks like it didn't work. We're looking to do a complete commercial security test of the app – WaveRider Jan 29 '13 at 21:21
  • I've added an example link for the issue I'm trying to resolve. – WaveRider Jan 29 '13 at 21:32