Upload
ashley-brooks
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
AUTOMATING SECURITY TESTS WITH SELENIUM
By Brady Vitrano & Charles Neill
Presented to OWASP San Antonio
March 20th, 2015
• The goals• Selenium/Tools/Language Introduction • Security Engineering Introduction • Create and run security tests• Scalable Testing with the Grid• Takeaways • Q&A• Git Repo - https://github.com/cneill/selenium-security-stuff
Agenda
• Understand Selenium framework for UI automation testing• Learn why Selenium is a useful framework for frontend security testing• Learn to create simple function test cases using Selenium• Learn to create simple security testing cases using Selenium
The Goals
What is Selenium?
• What is Selenium?–Earth Metal
–Atomic Number: 34
–Atomic Weight: 78.96
–Tool to control web browsers and devices
• Selenium Modes–WebDriver API
• Support Remote Browsers
–Selenium IDE Recorder• Runs locally
• Web Driver Pros–Scripts written to perform browser actions to
simulate web user
–Tests against various browsers and devices
–Flexible to handle frequent code changes
–Watch scripts run against live browser
–Scalable with Selenium Grid
• Web Driver Cons–Simulates user actions but does not support
scrolling
–Must hack shortcomings with Javascript
–WebDriver tends to be out of date with frequent browser updates
Browser Automation with Selenium
• IDE Pros–Quick and temporary solution
• IDE Cons–Manual Process (SLOW)
–Requires tons of maintenance
–Breaks frequently do to outdated tests
–Does not run remotely
• IDE NOT RECOMMENDED
• Selenium Webdriver–REST API based works with various browsers and devices
–JSON Wire Protocol• https://code.google.com/p/selenium/wiki/JsonWireProtocol
–W3 WebDriver (Draft 11 Feb 2015)• https://w3c.github.io/webdriver/webdriver-spec.html
• Programming Languages–Python – (Covered Today)
–Ruby (Merlot – Rackspace Gem)
–Javascript (Protractor)
–Java (???)
Technical Overview
8
Very basics of a webpage functionality test include:
• pip install selenium
• Visiting the webpage of interest
• Accessing the elements on the page
Using Selenium / Examples
www.rackspace.com
Explanation:
Here we simply create a Firefox browser object. This will cause a Firefox window to launch.
Next we tell Firefox to navigate to http://seleniumhq.org/ Which will load the requested website.
9
Selenium / Examples
www.rackspace.com
Example 1:
• open a new Firefox browser
• load the Yahoo homepage
• search for “seleniumhq”
• close the browser
10
Selenium / Examples - Page Elements
www.rackspace.com
Elements can be accessed in many ways:
• Element type: input, button
• Element attribute: name, id, value
• Xpath
User actions that can be emulated:
• Click
• Filling out text fields (sending keys)
12
• There are several different ways the webdriver can find HTML elements:
Selenium / Examples – How to access page elements
www.rackspace.com
One of the most commonly used assessors is browser.find_element_by_css_selector()
This works off of CSS selectors (similar to sizzle/jQuery's selection system)
IPython is a helpful way to explore the Selenium API. Tab completion will help you find interesting methods
• Part of Quality Engineering• Focus on security testing of different practice areas • Integrate with project team as security resource• Provide security testing
– Infrastructure security testing
–Web application security testing
–API security testing
Security Engineering Introduction
• Injection (such as SQL, OS, LDAP injection)• Broken Authentication and Session Management • Cross Site Scripting (XSS)• Insecure Direct Object References• Security Misconfiguration • Sensitive Data Exposure• Missing Function Level Access Control• Cross-Site Request Forgery (CSRF)• Using Components with Known Vulnerabilities• Unvalidated Redirects and Forwards
Common Security Vulnerabilities for Web Applications
SQL Injection
select * from Users where username = 'submittedUser' and password = 'submittedPassword';
username=adminpassword=bad' or 1=1--
select * from Users where username = 'admin' and password = 'bad ' or 1=1--;
•Authentication bypass •Read sensitive data from the database
•Modify database data•Execute administrative operations
•Local File system access•Run operation system command•…
XSS
<?php$name = $_GET['name'];echo "Welcome $name<br>";echo "<a href="http://xssattackexamples.com/">Click to Download</a>";?>
index.php?name=guest<script>alert('attacked')</script>
Welcome guest <script>alert(‘attacked’)</script>
•Session stealing•Malware installation•Phishing•HTML5 Storage Compromise•Compromising Credentials•Cross Site Request Forgery Attack
•Cookie Stealing• Identity Theft
•…
18
• Don't we want to just throw some fuzz strings at the app and hope it returns a 500 error?– We want to eliminate false positives, because we might not be around to
watch the test execution and dig through it manually (e.g. if this is being run in a Jenkins gating job)
• Writing test cases is harder than just loading a wordlist into BURP– Sure, the first time! But once you write some code, you can re-use it over
and over again, and you can define success/failure in a more detailed way for each test
Why Scripted Tests?
www.rackspace.com
19
• Run tests with real-world browsers, and inspect tests in the browser if you want
• Flexible test running – you can run tests locally, or spin up a whole cluster of headless nodes to test in parallel
• Ability to manipulate the page in a more "natural" way with Selenium, unlike tools that don't emulate or control a browser• Manipulate the DOM• Work with JavaScript directly
Why Selenium?
www.rackspace.com
20
• Bindings in many languages (Python, Ruby, Java…)
• Catch pop-ups as they occur – this is a great way to verify XSS
• Search the DOM with CSS selectors (similar to jQuery)
• Inject JavaScript, cookies, and browser extensions on-the-fly
Why Selenium? (Cont'd.)
www.rackspace.com
21
• If you're running thousands of tests, Selenium will take significantly longer than something like cURL
•If you're just doing HTTP requests and searching for regexes in the page source code, this can be done much faster by other means– For this reason, Selenium isn't particularly well-suited to API testing
Why NOT Selenium?
www.rackspace.com
• Preinstalled on Vagrant
• SSH into Vagrant Box– vagrant ssh
• Start Grid– sudo dsgrid start
• Add Multiple Firefox Nodes– sudo dsgrid nodes add firefox
– sudo dsgrid nodes add firefox
• Verify Selenium Hub is Running– http://localhost:49044/grid/console
Selenium Grid
• https://w3c.github.io/webdriver/webdriver-spec.html• http://www.seleniumhq.org/• https://github.com/cneill/selenium-security-stuff• OWASP Top Ten Project: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• SQL injection: https://www.owasp.org/index.php/SQL_Injection• Cross Site Scripting (XSS): https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
Reference
THANK YOU
RACKSPACE® | 1 FANATICAL PLACE, CITY OF WINDCREST | SAN ANTONIO, TX 78218
US SALES: 1-800-961-2888 | US SUPPORT: 1-800-961-4454 | WWW.RACKSPACE.COM
© RACKSPACE LTD. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COM