0

I am interested in doing automated testing against a Flex based UI. I have found out that my best options for UI automation (due to being C# controllable, good licensing conditions, etc) all seem to require that I compile test hooks into my application. Because of this, I am thinking of recommending that these hooks be compiled into our build.

I have found a few places on the net that recommend not deploying bits with this instrumentation enabled, and I'd like to know why. Is it a performance drain, or a security risk? If it is a security risk, can you explain how the attack surface is increased?

I am not a Flash or Flex developer, though I have some experience with threat modeling.

For reference, here's the tools I'm specifically considering:

  • QTP
  • Selenium-Flex API

I am having problems finding all the warnings/suggestions I found last night, but here's an example that I can find:

http://www.riatest.com/products/getting-started.html

Warning! Automation enabled applications expose all properties of all GUI components. This makes them vulnerable to malicious use. Never make automation enabled application publicly available. Always restrict access to such applications and to RIATest Loader to trusted users only.

Related question (how to do conditional compilation to insert/remove those hooks): Conditionally including Flex libraries (SWCs) in mxmlc/compc ant tasks

Community
  • 1
  • 1
Merlyn Morgan-Graham
  • 58,163
  • 16
  • 128
  • 183

3 Answers3

2

Well, I can't think right now of all use cases but imagine you developped a game with Flex and that you deployed your SWF with the automation libs included. Some people could use automation tools such as QTP, RIATest to simulate user interactions that would be impossible to do manually (i.e. clicking 1500 times a second the left mouse button)

We have many build profiles for our Flex applications. One of them include automation libs and is used only by our QA Team.

Florian F
  • 8,822
  • 4
  • 37
  • 50
0

Here is documentation for conditional compilation hooks of the Flex SDK.

JeffryHouser
  • 39,401
  • 4
  • 38
  • 59
  • Thanks for the info. Why would I want to remove the hooks in production? What could they hurt? That's the real question I want answered. – Merlyn Morgan-Graham Jan 16 '11 at 22:34
  • I answered your related question at the end. File size is one consideration. I imagine performance is another [but can't speak from experience w/ that one]. – JeffryHouser Jan 17 '11 at 03:37
0

Clicking 1500 times a second is nothing to do with Flex, we can do same on Non-Flex based applications too, with automation tools.

I am not finding any info on security issues or other issues with Flex based vs non-Flex based application.

Could you provide more details?

greeness
  • 15,956
  • 5
  • 50
  • 80
ESR
  • 1