Browse All Articles > Testing web applications and web services
Quite often, your web application, web site, AJAX code or web service does not work in the way you expect it to.
In these cases, it may be necessary to "look under the hood" of the http protocol and to look at either client requests, server replies or both.
You also need the ability to resend some requests over and over again, especially when dealing with AJAX and web services.
The explanations assume some knowledge of XML, HTML, and HTTP, as well as scripting skills.
Debugging web services can be a major pain in the backside. Lucky for us, there is a set of tools and techniques that can help us simulate and trace web services and AJAX requests.
These tools are described as test tools, but I've successfully used them in production environments as a way to invoke web services and web server side actions from custom scripts.
Conventions used in all of the tool usage descriptions:
* = the web service action to initiate
* = a [][XML]] file with the entire SOAP envelope and payload
* = where you want to save the results
* = the web service address URL
====Testing using curl====
curl is a command line tool that supports all URL protocols. It is availble for multiple platforms and can be found here: http://curl.haxx.se/ .
It can be easily used for regular web sites, and works well with SOAP and WS.
====Testing using SOAPClient4XG (SOAP client For XML Geeks)====
See IBM DeveloperWorks web site at http://www-128.ibm.com/developerworks/xml/library/x-soapcl/
A light Java SOAP client.
====Using the Apache SOAP TCP Tunnel====
This used to be a part of the original Apache SOAP project distribution. It is no longer available from the Apache web site, but if you still use the SOAP distribution you may find it useful.
The tool opens a panel that traces the HTTP transport details.
Usage:
====Using the Axis TCPMonitor====
Available as part of the Axis distribution, this utility replaces the Apache SOAP TCP tunnel.
The tool opens a panel that traces the HTTP transport details.
You can modify the request and resend, so it is excellent also for web applications debugging and auditing.
Multiple connections can be defined on different ports, and the utility can be used both as a regular proxy and as a reverse proxy.
http://ws.apache.org/axis/java/user-guide.html#AppendixUsingTheAxisTCPMonitorTcpmon Axis documentation
Get the Axis distribution here http://www.apache.org/dyn/closer.cgi/ws/axis/
====Using stunnel to trace https sessions====
Some tools like the TCPMonitor support only standard http sessions, and can't be used with https over ssl. A utility like stunnel can be used to enable https support.
http://www.stunnel.org/
Example: We have a web server called intranet.us.mycorp.corp that requires a https connection. In stunnel, define the configuration file like this
Start stunnel, Start TCPMonitor and set it to listen to port 80 and forward to localhost on port 88.
These are tools usually used in penetration testing, and are often very helpful when debugging web applications and web services.
=====Burp=====
A Java proxy for PT
http://www.portswigger.net/proxy/
=====Paros=====
A Java proxy for PT
http://www.parosproxy.org
=====Achilles=====
An old-timer proxy but still useful.
http://www.mavensecurity.com/achilles
=====Tamper Data firefox add-on=====
https://addons.mozilla.org/en-US/firefox/addon/966
=====Fiddler=====
http://www.fiddlertool.com/fiddler/
=====IBM page detailer=====
http://www.alphaworks.ibm.com/tech/pagedetailer
In these cases, it may be necessary to "look under the hood" of the http protocol and to look at either client requests, server replies or both.
You also need the ability to resend some requests over and over again, especially when dealing with AJAX and web services.
The explanations assume some knowledge of XML, HTML, and HTTP, as well as scripting skills.
1. Web Services
Debugging web services can be a major pain in the backside. Lucky for us, there is a set of tools and techniques that can help us simulate and trace web services and AJAX requests.
These tools are described as test tools, but I've successfully used them in production environments as a way to invoke web services and web server side actions from custom scripts.
Conventions used in all of the tool usage descriptions:
* = the web service action to initiate
* = a [][XML]] file with the entire SOAP envelope and payload
* = where you want to save the results
* = the web service address URL
====Testing using curl====
curl is a command line tool that supports all URL protocols. It is availble for multiple platforms and can be found here: http://curl.haxx.se/ .
It can be easily used for regular web sites, and works well with SOAP and WS.
curl --request POST --header "SOAPAction: <action>" --header "Content-type: text/xml" --data @<xmlfile> -o <outputfile> <SOAPUrl>====Testing using SOAPClient4XG (SOAP client For XML Geeks)====
See IBM DeveloperWorks web site at http://www-128.ibm.com/dev
A light Java SOAP client.
java -cp . SOAPClient4XG <SOAPUrl> <xmlfile> <action> > <outputfile>2. Reverse proxies
====Using the Apache SOAP TCP Tunnel====
This used to be a part of the original Apache SOAP project distribution. It is no longer available from the Apache web site, but if you still use the SOAP distribution you may find it useful.
The tool opens a panel that traces the HTTP transport details.
Usage:
java -cp lib/soap.jar org.apache.soap.util.net.TcpTunnelGui <localPort> <remoteHost> <remotePort>
====Using the Axis TCPMonitor====
Available as part of the Axis distribution, this utility replaces the Apache SOAP TCP tunnel.
The tool opens a panel that traces the HTTP transport details.
You can modify the request and resend, so it is excellent also for web applications debugging and auditing.
Multiple connections can be defined on different ports, and the utility can be used both as a regular proxy and as a reverse proxy.
http://ws.apache.org/axis/
Get the Axis distribution here http://www.apache.org/dyn/
====Using stunnel to trace https sessions====
Some tools like the TCPMonitor support only standard http sessions, and can't be used with https over ssl. A utility like stunnel can be used to enable https support.
http://www.stunnel.org/
Example: We have a web server called intranet.us.mycorp.corp that requires a https connection. In stunnel, define the configuration file like this
Start stunnel, Start TCPMonitor and set it to listen to port 80 and forward to localhost on port 88.
3. 1337 h4x0rs
These are tools usually used in penetration testing, and are often very helpful when debugging web applications and web services.
=====Burp=====
A Java proxy for PT
http://www.portswigger.net
=====Paros=====
A Java proxy for PT
http://www.parosproxy.org
=====Achilles=====
An old-timer proxy but still useful.
http://www.mavensecurity.c
4. Client side tracing
=====Tamper Data firefox add-on=====
https://addons.mozilla.org
=====Fiddler=====
http://www.fiddlertool.com
=====IBM page detailer=====
http://www.alphaworks.ibm.
client = yes
[https]
accept = 88
connect = intranet.us.mycorp.corp:443Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)