Selenium for Security Engineers
What is Selenium?
Selenium is an open-source framework used for browser automation. It is mainly used by QA testers to automate testing of features without having to manually visit each and every feature. Selenium is supported by a variety of programming languages crucially by Python, Ruby and Java. Selenium can be used by all the major browsers such as Firefox, Chrome and Safari. In this blog however, I’ll be demonstrating using Firefox.
How is Selenium useful for Security Engineers?
Selenium is useful for security engineers in a few ways listed below:
- Repeated automated security testing for vulnerabilities such as XSS and SQLI
- Pulling metrics from security tools without having to open the dashboard.
- Creating security frameworks such as a key rotation framework.
Selenium is a very useful skill for security engineers. However, most including me found it slightly daunting to get started with it. In this blog, I take a small example of how to login automatically using Selenium. I will share some tips and try to make it simple for beginners.
Note: I will be using Python here as Python is the most popular choice for Security Engineers.
Installing Selenium
It’s fairly simple to install Selenium . You can read here https://pypi.org/project/selenium/ to get started with Selenium as writing it down would just be repeating what’s already there. Please ensure that your browser version and the driver version are the same. In case it’s not, Selenium will not work. To be on the safest side, always use the latest browsers.
Setting up your Selenium Boiler plate
There’s gonna be a few lines of code such as importing Selenium classes and setting up the path to your webdriver. Here’s how my boiler plate looks like .
#Importing all libraries. Might not always use all of them but will need them in most cases
from selenium import webdriver
from selenium.webdriver.common.keys import Keys
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
from selenium.common.exceptions import TimeoutException
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
from selenium.webdriver.common.by import By
# create webdriver object
driver = webdriver.Firefox()If you face any issues while setting up the webdriver, you need to debug the reason by yourself. The issue will most likely be with the path of your driver file.
Finding HTML elements using XPATH
Before jumping into the code and example, I would like to talk a little bit about XPATH in HTML since we would be using that a lot. Once you understand XPATH, selenium automation would be a breeze for you.
XPATH is used to navigate through elements in a HTML document. The best way to understand would be to take an example. Take the example of this webpage http://testphp.vulnweb.com/login.php . Now how would you find the position of the textbox Username? You might want to right click and inspect element on the textbox. If you do it, you can find the HTML element position highlighted. If you do it in Firefox atleast, you’ll find the HTML to be:
<input name=”uname” type=”text” size=”20" style=”width:120px;”>
While for this webpage, it’s not hard to remember, this is usually not the case for many complex webpages. It is not practical to take the entire part while searching for the element through HTML.
That’s when XPATH comes to play. Using XPATH, you can construct a XPATH query and simply use that to search for the element. Let’s see how we can construct a query.
XPATH query structure goes like this: //tagname[@Attribute = 'Value'] where:
- tagname specifies the tag used in the element. In the above example, it will be input tag
- Attribute is supposed to be additional information of the element. In this case, name,type,size and style are attributes. You can pick any one to refer to it
Some XPATH queries(yes multiple queries can be written to refer same element can be:
- //input[@size=”20"]
- //input[@name=”uname"]
- //input[@type=”text”]
I’ll let you try out for some more queries. I hope the point is driven across on how to use XPATH. We will however go with the XPATH query of //input[@name=”uname”] . Why? Because this will be unique to the uname text box. The other queries can match other text boxes. Try it out! Think logically why it happens .
This was a small primer on XPATH. I personally use mostly only XPATH to find elements. There are many ways which Selenium supports such as finding elements through class,id , CSS, etc. But I always found it easier to use XPATH. You can explore the others by yourself to see which one suits you.
Final automation code for login using Selenium
The final code should look something like this:
#Importing all libraries. Might not always use all of them but will need them in most cases
from selenium import webdriver
from selenium.webdriver.common.keys import Keys
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
from selenium.common.exceptions import TimeoutException
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
from selenium.webdriver.common.by import By
import time
# create webdriver object
driver = webdriver.Firefox()
driver.get('http://testphp.vulnweb.com/login.php')
username = driver.find_element(By.XPATH, '//input[@name="uname"]')
password= driver.find_element(By.XPATH, '//input[@name="pass"]')
username.send_keys("{}".format("test"))
password.send_keys("{}".format("test"))
driver.find_element(By.XPATH, '//input[@type="submit"]').click()
time.sleep(6) //Only used so that you can see you're logged inMost of the code should be self explanatory. For a login , you need three inputs namely the username, password and the button. You can find all three elements using XPATH as explained in previous section. Then to login, send in the data using the send_keys function and then use the click function as used in the code to login. I will recommend to spend some time with the code and then once understood, you can try for other pages.
This was a simple way to get started with Selenium for absolute beginners. Hope it helps someone :)
