8

I wrote own http server. Are there any free software, test packages or toolset to validate whether it complies fully or partially with HTTP 1.0 (rfc 1945). And moreover it'd great if this software could estimate http performance and check for potential security issues. The same is wanted from this software in respect of FTP compliance validation.

pmod
  • 155

6 Answers6

2

You could use apachebench for the performance testing.

topdog
  • 3,558
2

This is really a programming issue, but as you have a bounty on the question it will stay here, at least for now.

There are a lot of Firefox add-ons designed for testing and debugging, so have a search through those see what you think is suitable for you. For security issues there are a lot of different scripts around but I should warn you that of those I've tried the results have been inconsistent and even contradictory, so I'm of two minds about their value.

The single largest issue seen in any software is buffer overflows. They can be a real pain to find at times, because they can be anywhere in the code, and often won't show up under automated testing. When I first started programming for Windows I wrote a program in which a buffer overflow went undetected for more that two years, even though the program was in daily use by several thousand users.

John Gardeniers
  • 27,844
2

I do not know a tool for testing HTTP RFC compliance.

For performance tests use apachebench like topdog mentioned.

For security testing, I can recommend Nikto and Google's skipfish . Although harder to configure, Nessus is capable too.

weeheavy
  • 4,149
  • 1
  • 30
  • 41
2

Lots of questions here. While I'm sure lots of people will tell you their tool does everything if only you will buy it, there are very few tools available which make a reasonable attempt at any one of these.

For the security side of things, assuming that you are only interested in serving of static content, there is a list of useful software here.

For capacity testing you could use ab which ships with apache. You might also consider scripting more complex interactions using loadrunner ($$$) or http::Recorder and www::mechanize

Most of the large software packages available as source code come with automatic testing scripts (usually a target in the Makefile, e.g. 'make test') but the Apache build instructions don't mention this - might be worth downloading the src and configuring it to see if it does have test scripts included which could be adapted.

As for performance testing/monitoring - IME there's nothing currently available which is any good (and I include Oracle's Grid Control, BMC Patrol, Google Analytics and a large number of other products in the 'not any good' category). Personally I'm using a home-grown solution which relies on very detailled logging of URL generation (have a look at mod_log_config %D option and mod_log_firstbyte).

One area I've not studied in great depth is passive monitoring - there are tools like vantage agentless but these are very, VERY expensive. PastMon may meet your requirements (its good and its free) but you're going to need some specialist and expensive hardware to run it on if you expect to measure what happens when your webserver reaches saturation.

HTH

C.

symcbean
  • 23,767
  • 2
  • 38
  • 58
0

For code quality (buffer overflows etc) you can use http://www.coverity.com/ They have picked up so many in open source programs http://scan.coverity.com/index.html

topdog
  • 3,558
0

You could try some of this:

http://java-source.net/open-source/web-testing-tools

or

http://www.softwareqatest.com/qatweb1.html

have fun

Marc Riera
  • 1,697