This is a virtual machine to help develop tests for the WebAppSec WG's specs. If you're not viewing this in the VM, you can get a copy here: https://dl.dropboxusercontent.com/u/76057758/WebAppSecTestVM.tar.bz2. It is an Ubuntu system that runs in Oracle VirtualBox. The username/passwword is webappsec/webappsec.
Many W3C recommendations can be tested in a purely browser enviornment. Lucky them. If your spec has dependencies on the Same Origin Policy, does server side work, cross-origin work, or depends on HTTP headers, you probably need a server.
This VM attempts to duplicate the production environment the W3C deploys at www.w3c-test.org so you can rapidly develop tests and be confident they will still work once you check them in and execute them on the standard infrastructure.
An Apache2 installation.
The web root is in /var/www. Under this are included:
The VM also includes installs of Opera Next, Chrome Beta and Firefox Aurora for local testing. The web server does bind to the "public" IPs for the VM, so you can also test against it using a browser on your host machine. To do so:
$sudo ifconfig to get the machine's IP
address./etc/ssl/certificates/stardotw3cdashtestdotorg.cer or the root
certificate from the VM in /home/webappsec/cybervillainsCA.cer
and install it as a trusted root CA in your test browser for https tests.
There's a kind of old and out-of-date presentation from our first test jam available at: https://dl.dropboxusercontent.com/u/76057758/WebAppSec%20Test%20Jam.pdf
The best places to look for example test cases to copy are in /var/www/webappsec/tests/cors/submitted/opera/ (for CORS) and /var/www/webappsec/tests/csp/submitted/WG/ (for CSP)
Test the Web Forward also provides some good introductory material for writing test cases in the W3C framework here http://testthewebforward.org/#resources.
The CSP test suite is managed under the W3C Mercurial repository at https://dvcs.w3.org/hg/
The webappsec repository is alredy cloned under /var/www/webappsec. To get the latest, open a shell and
webappsec@www:~$ cd /var/www/webappsecwebappsec@www:/var/www/webappsec$ hg pullwebappsec@www:/var/www/webappsec$ hg updateYou will need a W3C account to commit tests. If you don't have one yet, start here: https://www.w3.org/accounts/request
When you are adding new tests, please create a new subdirectory for your username or organization under "/submitted" for the specification you are targeting. To check in a test:
webappsec@www:/var/www/webappsec/tests/csp/submitted/myusername$ hg
add myNewTest.html
webappsec@www:/var/www/webappsec/tests/csp/submitted/myusername$ hg
commit myNewTest.html -u myusername
webappsec@www:/var/www/webappsec/tests/csp/submitted/myusername$ hg
push
You will be asked for your username and password to complete the push to the
repository. You can edit ~/.hgrc to save your username and
password but be sure to change the webappsec account password on your copy of
the VM if you do this.
This file lives in https://dvcs.w3.org/hg/webappsec/vm. Please update and add to it to help others.