Welcome to the WebAppSec WG Test VM

This is a virtual machine to help develop tests for the WebAppSec WG's specs. If you're not viewing this in the VM, you can get a copy here: https://dl.dropboxusercontent.com/u/76057758/WebAppSecTestVM.tar.bz2. It is an Ubuntu system that runs in Oracle VirtualBox. The username/passwword is webappsec/webappsec.

Go to the Test Runner.

Why use this VM?

Many W3C recommendations can be tested in a purely browser enviornment. Lucky them. If your spec has dependencies on the Same Origin Policy, does server side work, cross-origin work, or depends on HTTP headers, you probably need a server.

This VM attempts to duplicate the production environment the W3C deploys at www.w3c-test.org so you can rapidly develop tests and be confident they will still work once you check them in and execute them on the standard infrastructure.

What is here?

An Apache2 installation.

The web root is in /var/www. Under this are included:

The VM also includes installs of Opera Next, Chrome Beta and Firefox Aurora for local testing. The web server does bind to the "public" IPs for the VM, so you can also test against it using a browser on your host machine. To do so:

Writing tests with the W3C testharness.js framework

There's a kind of old and out-of-date presentation from our first test jam available at: https://dl.dropboxusercontent.com/u/76057758/WebAppSec%20Test%20Jam.pdf

The best places to look for example test cases to copy are in /var/www/webappsec/tests/cors/submitted/opera/ (for CORS) and /var/www/webappsec/tests/csp/submitted/WG/ (for CSP)

Test the Web Forward also provides some good introductory material for writing test cases in the W3C framework here http://testthewebforward.org/#resources.

Working with the test repositories:

Mercurial (Hg):

The CSP test suite is managed under the W3C Mercurial repository at https://dvcs.w3.org/hg/

The webappsec repository is alredy cloned under /var/www/webappsec. To get the latest, open a shell and

webappsec@www:~$ cd /var/www/webappsec
webappsec@www:/var/www/webappsec$ hg pull
webappsec@www:/var/www/webappsec$ hg update

You will need a W3C account to commit tests. If you don't have one yet, start here: https://www.w3.org/accounts/request

When you are adding new tests, please create a new subdirectory for your username or organization under "/submitted" for the specification you are targeting. To check in a test:

webappsec@www:/var/www/webappsec/tests/csp/submitted/myusername$ hg add myNewTest.html

webappsec@www:/var/www/webappsec/tests/csp/submitted/myusername$ hg commit myNewTest.html -u myusername

webappsec@www:/var/www/webappsec/tests/csp/submitted/myusername$ hg push

You will be asked for your username and password to complete the push to the repository. You can edit ~/.hgrc to save your username and password but be sure to change the webappsec account password on your copy of the VM if you do this.

Still confused? Help with this documentation.

This file lives in https://dvcs.w3.org/hg/webappsec/vm. Please update and add to it to help others.