Those of you who frequently use our tools on secapps.com are probably aware of the existence of a brand new application called WebAcid. This post is all about the WebAcid framework and what are my plans and hopes for this project.

WebAcid

I have to say that the market is already saturated with web application security testing frameworks. We’ve got nikto, jikto, burp, paros proxy, rat proxy, w3af, Metasploit’s wmap, a bunch of commercial tools and tones of browser extensions. Unfortunately, all of them have so many limitations. For example, some of these tools don’t know how to speak to certain protocols. Others, perform the wrong types of detection, i.e. too many false positives. Some of them are too complicated to be any useful while others are aiming to solve problems which are not problems at all.

So, after years of experience with dealing with web application and client-side security vulnerabilities, I realized that we do actually need two types of tools in order to perform the majority of testing in semi-automated fashion. We need server-side and client-side support.

The server-side is already covered to an extend. These are pretty much the testing proxies. Although, almost none of them are perfect, they actually do quite descent job. Unfortunately, we’ve got not that many utilities for the client-side. There are a bunch of FF extensions which help in some ways but almost none of them can be automated or even used in semi-automated fashion. This is where WebAcid comes into place.

WebAcid is hosted, client-side web application framework/toolkit which is designed to provide the tester with client-side testing tools. The WebAcid framework can be loaded as a bookmarklet or a greasemonkey script and it works entirely on the DOM level. Because the bookmarklet and greasemonkey script are loaded in the origin of the application we want to test, we’ve got almost no restrictions on what we can do and we can use the full power of the DOM to perform very complicated tests. This approach is perfect when testing complex ui rich applications as we can pretty much introspect anything while inside the DOM.

WebAcid is really an experiment and only time will tell if it was successful one but I truly believe that this project could revolutionize the web application testing methodologies. Right now, the WebAcid framework provides only two utilities which illustrate how easy it is to automate complicated tests without bothering with cookies, authentication mechanisms, ssl, proxies, etc, i.e. everything works by default. If you browser understands the application so does WebAcid.

My plan is to expand WebAcid as much as I can. If you can help with addons than let’s get together and discuss what we need to do. I promise that WebAcid is very simple and you will find almost no difficulties with the framework. This is what I call a good design: simple but powerful.