Web Security Testing Cookbook by Paco Hope, Ben Walther

cURL(http://curl.haxx.se/) is a command-line URL tool that is ideal for automating simple web testing tasks. If you have a smoke test that you want to run that consists of simply visiting a lot of pages, cURL is for you! If you have some relatively straightforward use cases that you want to model—for example log in, upload a file, log out—cURL is an excellent tool. If you have test cases that require odd parameters passed in URLs, cURL’s support for automation can do a lot of heavy lifting for you. In this chapter, we explore the basic and advanced features of cURL, but with an eye toward how you can use them to test for security problems in a web application.

Back in Chapter 2, we showed you how to install cURL, and we assume you have done that. cURL’s simplicity is a wonderful thing. After you have the cURL (or curl.exe) program, you’re done. That’s all you need to run these tests. Typically, however, a full test case with cURL involves running it several times with different parameters. Consequently, we usually wrap cURL in some sort of shell script or batch file. Windows users who are at all comfortable with Unix should strongly consider installing Cygwin (also discussed in Chapter 2). We are going to use some very simple Unix commands in these recipes, but we will achieve some pretty powerful effects as a result. The same effects would be substantially ...