If you are a Web application developer or a Web automation testing engineer, you will be interested in understanding the issues that your apps could face and also how Web servers work under load conditions. This article presents a selection of open source tools that can test your Web application.
An important phase of Web application development is testing. It helps us to address issues before the application is made open to the public. The security of the Web apps, their basic functionality, their accessibility, and multi-device and cross-browser support can be tested, apart from measuring the overall performance of the apps. Testing ensures that the Web application can handle significant traffic and a number of concurrent users, apart from having the ability to cater to a massive spike in user traffic.
Popular open source tools to test your Web application are: JMeter, Selenium, OpenSTA (Open System Testing Architecture), The Grinder (Generic Jython load tester), Vega, SiteDigger, Nmap, Sahi, Wapiti, Siege, Browsershots, IE NetRenderer, etc.
Let us delve deeper into some of the more popular testing tools among these.
This is an open source load testing tool, written in Java, and it supports all platforms. It was originally designed for testing Web applications, but has since expanded to other test functions. Apache JMeter is one of the most reliable tools for testing the performance of a Web application.
Its features are:
- Supports different server/protocol types: Web – HTTP, HTTPS, SOAP/REST, FTP, Database via JDBC, LDAP, message-oriented middleware (MOM) via JMS, Mail – SMTP(S), POP3(S) and IMAP(S), MongoDB (NoSQL), Native commands/shell scripts, TCP.
- A full multi-threading framework allows concurrent sampling by many threads and simultaneous sampling of different functions by separate thread groups.
- A well-planned GUI design allows faster test plan building and debugging.
- Caching and offline analysis/replaying of test results.
- Plugin support for data analysis and visualisation; pluggable samplers allow unlimited testing capabilities.
Apache JMeter can be used to test performance on both static and dynamic resources (Web services – SOAP/REST; Web dynamic languages – PHP, Java, ASP.NET, files, etc; Java objects, databases and queries, FTP servers and more). It can be used to simulate a heavy load on a server, a group of servers, network or object to test its strength, or to analyse overall performance under different load types. You can use it to make a graphical analysis of performance or to test the behaviour of your server, script and object under a heavy concurrent load.
Selenium is one of the most popular open source testing tools for Web applications. It was originally developed by Jason Huggins in 2004 for testing an internal project at ThoughtWorks.
Selenium supports automation testing of Web based applications for some of the largest browser vendors. It has five basic components the Selenium IDE, the Selenium Remote Control, the Selenium WebDriver, the Selenium Grid and Selenium Client API (introduced in Selenium 2). The Selenium IDE is a Firefox add-on for record-and-playback Web application tests. WebDriver directly communicates with the Web browser and uses its native compatibility to automate functions.
OpenSTA or Open Systems Testing Architecture
OpenSTA is a GUI-based Web server benchmarking utility. The current toolset has the capability to perform scripted HTTP and HTTPS heavy load tests with performance measurements from Win32 platforms.
OpenSTA collects results and statistics during test runs by a variety of automatic and user controlled mechanisms. These include scripted timers, SNMP data, Windows Performance Monitor stats and HTTP results and timings. Much of the data logged can be monitored live during the test runs; once test runs are complete, logs can be viewed, graphed, filtered and exported for use by more sophisticated report generation software.
The Grinder is a Java load testing framework that makes it easy to run a distributed test using many load injector machines. The Grinder was originally developed by Paco Gómez and Peter Zadrozny.
- Its key features are:
- Can load test anything that has a Java API. This includes common cases such as HTTP Web servers, SOAP and REST Web services, and application servers (CORBA, RMI, JMS, EJBs), as well as custom protocols.
- Supports powerful scripting languages like Jython and Clojure.
- It has a distributed framework, with a user-friendly graphical console that allows multiple load injectors to be monitored and controlled, and provides centralised script editing and distribution.
- Mature HTTP support, automatic management of client connections and cookies, SSL, is proxy aware, has connection throttling, a sophisticated record-and-replay of the interactions between a browser and a website, etc.
Vega is a free open source website security testing tool. It is GUI based, written in Java, and runs on Windows, Linux and OS X. Vega can help you find and validate SQL injection, cross-site scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities.
Vega is developed by Subgraph, an open source security startup based in Montreal, Canada. It supports automated scanning and has an intercepting proxy testing mode. In automated scanner mode, it automatically trawls websites, extracting links, processing forms, and running modules for possible injection points it discovers. These modules can do things like automatically submitting requests that fuzz parameters, for example, to test for things like cross-site scripting (XSS) or SQL injection.
The intercepting proxy mode allows you to test Web applications on the proxy server. When a browser uses the Vega proxy, requests and responses are visible to Vega. It can be instructed to set breakpoints, interception criteria for outgoing requests (from the browser) or incoming responses (from the server).
SiteDigger is an open source tool to examine Googles cache for errors, vulnerabilities, configuration issues, proprietary information and interesting security nuggets on websites.
SiteDigger runs on a Windows machine and it requires the Microsoft .NET Framework v3.5. SiteDigger doesnt require the Google API License Key. Its features include proxy support, real-time results, configurable result sets, etc.
NMap (Network Mapper) is a free and open source tool to test Web security and network discovery.
It can be installed on Linux, Microsoft Windows, BSD variants like Mac OS X, AmigaOS, Solaris, HP-UX, and the SGI IRIX operating system. NMap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.
The Sahi open source version includes the following feature set that is sufficient for most testing purposes.
- Records on all browsers
- Plays back on all browsers
- HTML playback reports
- JUnit style playback reports
- Suites and batch run
- Parallel playback of tests
Wapiti is a Web security auditing tool that allows you to test the vulnerability of your Web application. It performs black-box testing, which means it does not look into the source code of the application, but will scan the Web pages of the deployed Web app looking for the scripts and forms where it can inject data.
Wapiti supports both GET and POST HTTP methods. It also supports multi-part and can inject payloads in file names (upload). It displays a warning when an error is found (for example, 500 errors and timeouts). It can identify permanent and reflected XSS vulnerabilities.
Wapiti can detect the following vulnerabilities:
- File disclosure
- Database injection
- Command execution detection
- CRLF injection (HTTP response splitting, session fixation, etc)
- XXE (XmleXternal Entity) injection
- Use of known and potentially dangerous files
- Weak .htaccess configurations that can be bypassed
- Presence of backup files giving sensitive information (source code disclosure)
Siege is a simple load testing and benchmarking tool. It supports GET and POST methods to test your Web servers through cookies, HTTP, HTTPS and FTP protocols. You can test single or multiple Web URLs in a single test. Siege is designed to let Web developers measure their code during high traffic, to see how it handles the load on the Internet.
Browsershots is a free, open source, online cross-browser testing utility. It allows you to test website browser compatibility from a single place, and makes screenshots of your Web design in different operating systems and browsers. When you enter any Web URL in Browsershots to test it, it will be added to the job queue and your website will be evaluated on all the selected browsers on their servers. Once this processing has been done, your test results screenshots will be uploaded to the central dedicated server.
Supported browsers are Firefox, Google Chrome, Opera, Safari, Minefield, Arora, Dillo, Rekonq, Midori, Konqueror, Iceweasel, Iceape, Lynx and MSIE.
IE NetRenderer is a utility to test your websites browser compatibility in different versions of Internet Explorer. Supported IE versions are 11, 10, 9, 8, 7, 6 or 5.5. This online tool is similar to Browsershots; you just need to enter your Web URL on IE NetRenderer and it will display the consolidated results on the same screen.