Penetration Testing With Selenium


0 (9)

 

Penetration testing is one of those things that people don’t often think about while they are building a product. It’s usually seen as a phase of testing that is performed by a third party who has expertise in that area once a release has passed normal testing.

The problem with this view is that fixing security problems at this point may well be very expensive and require large amounts of refactoring, or even rewrites. Wouldn’t it be good if we could do as much penetration testing as possible in the early development phases? This would give us a fast feedback loop that would allow us to make changes earlier in the development life cycle at a greatly reduced cost.

Selenium does not have any penetration testing functionality built in, but we can use other tools to supplement it. One excellent tool that can work well with Selenium is the Zed Attack Proxy (ZAP). For more information about ZAP, have a look at https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project.

ZAP is a penetration testing tool that searches for vulnerabilities in web applications. It is a proxy that sits between your browser and the website you are testing. As you use the website you are testing, ZAP logs all of the network calls and uses them to build up a series of attack profiles. The more functionality on your website you use, the more information ZAP has to build these attack profiles.

Once you have walked through the functionality of your site, you can tell ZAP to build a series of attack profiles based upon the information it has collected. ZAP then starts a series of attacks on your site and logs any potential vulnerability that it finds.

Obviously, the more functionality you use, the more information ZAP has and the better its attacks are. If you are testing your website with Selenium, it’s probably a pretty safe bet that you cover a large percentage of functionality with your tests.

So what we are going to do is set ZAP up as a proxy and then use our proxy implementation to run our Selenium tests through ZAP so that it can generate an attack profile for our site.

Setting up ZAP is nice and simple:

  1. First of all, open up ZAP

2. Then go to Tools | Options

3. Next, Select Local proxy

4. Finally, set the proxy address to localhost, and select a port; we will use 8080 for this example. (As Default).

Now we need to run our Selenium tests using this proxy so that ZAP can monitor our network traffic and build attack profiles. Use the following test script:

public class ZAPSeleniumPenetration 
{
	ChromeDriver driver ; 
	
  @BeforeTest
	public void opeURL() 
	{
	    String PROXY = "localhost:8080";
		org.openqa.selenium.Proxy proxy = new org.openqa.selenium.Proxy();
		proxy.setHttpProxy(PROXY)
		.setFtpProxy(PROXY)
		.setSslProxy(PROXY);
		ChromeOptions options = new ChromeOptions();
		options.setCapability(CapabilityType.PROXY, proxy);
		System.setProperty("webdriver.chrome.driver", 
				System.getProperty("user.dir")
        +"\\Sources\\chromedriver.exe");
		driver = new ChromeDriver(options); 
		driver.navigate().to("https://the-internet.herokuapp.com/login");
	}

	@Test
	public void TestPenertation() 
	{
		WebElement usernameTxt = driver.findElement(By.id("username")); 
		WebElement passwordTxt = driver.findElement(By.id("password"));
		WebElement btnLogin = driver.findElement(By.className("radius"));
		usernameTxt.sendKeys("tomsmith");
		passwordTxt.sendKeys("SuperSecretPassword!");
		btnLogin.click();
	}

	@AfterTest
	public void closeDriver() 
	{
		driver.quit();
	}
}

Now wait for your tests to complete and you’re done. You can now tell ZAP to start attacking the site that you are testing. As it performs its attacks, it will highlight vulnerabilities and at the end will give you a list of things that need investigating.

Tip

ZAP can be very verbose and you should remember that it is reporting potential vulnerabilities. Not everything that it logs is a problem that needs a high-priority fix; some may be vulnerabilities in technologies that you aren’t currently using. A lot of people get a nasty shock when they first run their website through ZAP.

Resources

Using a Proxy with Selenium

https://docs.seleniumhq.org/docs/04_webdriver_advanced.jsp

Getting start with penetration testing

A collection of awesome penetration testing resources, tools and other shiny things

https://github.com/enaqx/awesome-pentest

Good Luck and Happy Testing 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.