Right, so if you read my previous post, you’d know that we’re testing for authorization weaknesses in all the exposed Webservices. So, for example: We’d really like to know if an anonymous user could create a new folder or delete an existing guidance item. However, since there are so many(121) methods we need to find a way to test all of them accurately across all 3 types of users[anonymous,reader and editor]. And no, like I said at the end of last post and as Dinis alluded to on his blog, I’m not a big fan of doing it manually at all 🙂 = Automate. Somehow. But automate.
Now I’m an ardent fan and follower 😉 of the KISS principle. So, in keeping with that, the simplest thing would have been me writing some code in .NET to automate the calling of each method. I could have also re-used any code that Dinis had written which would have saved me some time. That’s because the TeamMentor backend is written in .NET. Sadly though I have very little idea of programming in a .NET environment. I’ve done plenty of black box tests on .NET apps; but never a source code review or a programming project. So .NET was out.
I can code “OK” in Perl, Python or Ruby. I now needed to find out which language allowed me to talk to Web Services the best. So I found Soap::Lite for Perl , SoapPy, Zsi and Suds in Python and something else in Ruby which I don’t remember now. But the point is, all 3 had support. Since I learnt Python the latest and liked it quite a bit, I decided to dig a little deeper into its modules. I read a little about SoapPy and plenty of posts on stackoverflow about which was the best..and to cut a long boring story (which is already putting you to sleep) short…I plumped for Suds. Yes, I’m done and you should read on 😉
I use Ubuntu 10.04 and Python 2.6.5 as my OS and development platform. I used apt to quickly install the python setup-tools package, downloaded the latest version of Suds(tarball) set it up and checked if it worked. It did.
Now that Suds was working on my machine, I needed to start to write code which would query the WSDL and give me a list of 121 methods so I could do “something” with them. The Suds documentation is quite neat and Lord Google had tons of examples anyway; so I could come up with some working code quite quickly. Dinis linked to my sample code in his post; but here it is again. Yay! It works. And handles authentication too..so that’s a relief.
Great. It’s usually those initial few days of learning a new language or a new module that are the hardest; but really that wasn’t the case with Suds. Low learning curve. Check. Good documentation. Check. Transition to “Hello World”. Check. Will it do what I want it to do? Check. Is it the “BEST” library around? Don’t know. Don’t care :).
Next time I’ll expand on my “coding” thought process a little more as well. Until then … Adios Amigos 🙂