" title="Mu Dynamics Blog">Mu Dynamics Blog - insites into vulnerabilities and secure coding practices

There are two kinds of test tool vendors in the world. Those that count in binary and those that don’t. Okay, stale joke aside there are those that test applications (like Mercury, now part of HP, IBM, etc) and those that test the infrastructure (like IXIA, Spirent, etc). Mu was founded on the premise that this boundary is blurring rapidly and there needs to be a new kind of testing solution that spans the layers between applications and infrastructures and looks at the service as a whole. As we look into the imminent future of HTML5 and the innovation in mobile and cloud apps, you can see this in play right now. And yet all these test tool vendors are lagging behind this brave new world.

HTML5

Here’s what Wikipedia has to say about HTML5:

The HTML5 specification was adopted as the starting point of the work of the new HTML working group of the World Wide Web Consortium (W3C) in 2007. This working group published the First Public Working Draft of the specification on January 22, 2008.[3] The specification is an ongoing work, and is expected to remain so for many years, although parts of HTML5 are going to be finished and implemented in browsers before the whole specification reaches final Recommendation status.

While the standards are still evolving, the browsers (Chrome and Safari nightly) are already starting to implement large subsets of the evolving specifications and users are building bleeding edge applications. HTML5 has native support for audio and video and pushes DHTML and Ajax even further. If you thought testing Web 2.0 (with mashups and XmlHTTPRequest) was hard, wait until you see Web Sockets!

Web Sockets

Web Sockets are an extension to the HTTP protocol that allow applications to start a simple HTTP request and upgrade the connection to support any protocol that the application developer wants! While the current spec doesn’t include binary framing, I can definitely see someone get creative and start sending ASN.1, Thrift, Protocol Buffers and please-don’t-do-it-ASN.1-with-Packed Encoding Rules.

This is important. Let me reiterate:

With Web Sockets, it’s not just about HTTP/HTML/XML/JSON testing anymore. Could be any protocol as deemed appropriate by the application developers! That means application testing tools just went from importing a Java package for XML parsing to supporting the complexities and encodings only found in the RFC’s and ITU specifications near you. There are no ready-to-go Java packages for all these protocols.

I’ve uploaded a capture of a simple chat application available at jWebSocket using a nightly Safari build to pcapr. Here’s the annotated Follow TCP stream view from Wireshark:

You can see that this application uses a fairly simple JSON RPC with the 0xFF framing. In other words whatever it sends bi-directionally (full-duplex) is encapsulated between 0×00 and 0xFF like this:

\x00{"type":"login","username":"anonymous","password":"","pool":null,"utid":10}\xFF

Now testing this becomes interesting. If you want to simulate lots of different users with different passwords chatting with each other, you need to parametrize these JSON entries and run them all. And what about Fuzzing this chat application from a security and resilience perspective? Remember there are no specifications, no RFC’s and no standards on the application transaction. So how do you test this?

Testing with Mu Studio

Our approach to testing is to simply capture the application traffic and then replicate the chat transaction that includes the 0xFF framing, the HTML5 upgrade mechanism, etc. This works across all layers and across any protocol! Here’s the resulting call-flow that Studio was able to create for this chat application:

With full parametrization for functional testing and automatic field-aware fuzzing, you can start testing HTML5 apps now well before even the standards are all ratified! This is just a start. Expect more blogs that talk about other types of testing in the brave new world of HTML5 apps. Things are about get a whole lot exciting!