A long time ago, Eric Monti, then a member of our team and now at a big startup in SF, wrote a Burp/Ruby bridge called Buby. For a long time, and maybe still, another team member --- Timur Duehr, who also wrote the first version of our Ragweed native code debugger DSL --- maintained it. A lot of people on our team use Buby to automate.
Another faction of our team uses Mike Tracy's WWMD toolkit, which does some of what Burp does but from an irb prompt.
I'm allergic to both approaches and tend to just start from EventMachine and ev-http-request.
Good example of the kind of scenario that'll get me into "writing code to test web apps" mode: testing those goofy cryptographic tokens applications send via email to reset passwords.
Not having the tokens be replayable, rewritable to different user IDs, or decryptable would be a good start, right?
Yes: the better approach is to have the token be a 256 bit cryptographically strong random number that corresponds to a row in the database with metadata sufficient to expire the token and invalidate it on password reset.
Another faction of our team uses Mike Tracy's WWMD toolkit, which does some of what Burp does but from an irb prompt.
I'm allergic to both approaches and tend to just start from EventMachine and ev-http-request.
Good example of the kind of scenario that'll get me into "writing code to test web apps" mode: testing those goofy cryptographic tokens applications send via email to reset passwords.