AUTOMATING SECURITY TESTS WITH SELENIUM By Brady Vitrano & Charles Neill Presented to OWASP San Antonio March 20th, 2015

Download Report

Transcript AUTOMATING SECURITY TESTS WITH SELENIUM By Brady Vitrano & Charles Neill Presented to OWASP San Antonio March 20th, 2015 

AUTOMATING SECURITY TESTS
WITH SELENIUM
By Brady Vitrano & Charles Neill
Presented to OWASP San Antonio
March 20th, 2015
Who Are We?
Brady Vitrano
Charles Neill
Lead of Quality
Engineering
Security Developer
2
Agenda
• The goals
• Selenium/Tools/Language Introduction
• Security Engineering Introduction
• Create and run security tests
• Scalable Testing with the Grid
• Takeaways
• Q&A
• Git Repo - https://github.com/cneill/seleniumsecurity-stuff
The Goals
• Understand Selenium framework for UI automation testing
• Learn why Selenium is a useful framework for frontend security testing
• Learn to create simple function test cases using Selenium
• Learn to create simple security testing cases using Selenium
What is Selenium?
• What is Selenium?
– Earth Metal
– Atomic Number: 34
– Atomic Weight: 78.96
– Tool to control web browsers and
devices
• Selenium Modes
– WebDriver API
• Support Remote Browsers
– Selenium IDE Recorder
• Runs locally
Browser Automation with Selenium
• IDE Pros
– Quick and temporary solution
• IDE Cons
– Manual Process (SLOW)
– Requires tons of maintenance
– Breaks frequently do to outdated tests
– Does not run remotely
• IDE NOT RECOMMENDED
• Web Driver Pros
– Scripts written to perform browser actions to
simulate web user
– Tests against various browsers and devices
– Flexible to handle frequent code changes
– Watch scripts run against live browser
– Scalable with Selenium Grid
• Web Driver Cons
– Simulates user actions but does not support
scrolling
– Must hack shortcomings with Javascript
– WebDriver tends to be out of date with
frequent browser updates
Technical Overview
• Selenium Webdriver
– REST API based works with various browsers and devices
– JSON Wire Protocol
• https://code.google.com/p/selenium/wiki/JsonWireProtocol
– W3 WebDriver (Draft 11 Feb 2015)
• https://w3c.github.io/webdriver/webdriver-spec.html
• Programming Languages
– Python – (Covered Today)
– Ruby (Merlot – Rackspace Gem)
– Javascript (Protractor)
– Java (???)
Using Selenium / Examples
Very basics of a webpage functionality test include:
• pip install selenium
• Visiting the webpage of interest
• Accessing the elements on the page
Explanation:
Here we simply create a Firefox browser object. This will
cause a Firefox window to launch.
Next we tell Firefox to navigate to
http://seleniumhq.org/ Which will load the requested
website.
www.rackspace.com
8
Selenium / Examples
Example 1:
• open a new Firefox browser
• load the Yahoo homepage
• search for “seleniumhq”
• close the browser
www.rackspace.com
9
Selenium / Examples - Page Elements
Elements can be accessed in many ways:
• Element type: input, button
• Element attribute: name, id, value
• Xpath
User actions that can be emulated:
• Click
• Filling out text fields (sending keys)
www.rackspace.com
10
Selenium / Examples – Inspecting Elements
www.rackspace.com
11
Selenium / Examples – How to access page elements
• There are several different ways the webdriver can find HTML elements:
One of the most commonly used assessors is browser.find_element_by_css_selector()
This works off of CSS selectors (similar to sizzle/jQuery's selection system)
IPython is a helpful way to explore the Selenium API. Tab completion will help you find interesting methods
www.rackspace.com
12
Security Engineering Introduction
• Part of Quality Engineering
• Focus on security testing of different practice areas
• Integrate with project team as security resource
• Provide security testing
– Infrastructure security testing
– Web application security testing
– API security testing
Common Security Vulnerabilities for Web Applications
• Injection (such as SQL, OS, LDAP injection)
• Broken Authentication and Session Management
• Cross Site Scripting (XSS)
• Insecure Direct Object References
• Security Misconfiguration
• Sensitive Data Exposure
• Missing Function Level Access Control
• Cross-Site Request Forgery (CSRF)
• Using Components with Known Vulnerabilities
• Unvalidated Redirects and Forwards
SQL Injection
• Authentication bypass
• Read sensitive data from the
database
• Modify database data
• Execute administrative
operations
• Local File system access
• Run operation system command
•…
XSS
• Session stealing
• Malware installation
• Phishing
• HTML5 Storage Compromise
• Compromising Credentials
• Cross Site Request Forgery
Attack
• Cookie Stealing
• Identity Theft
•…
Another tool to learn…
www.rackspace.com
17
Why Scripted Tests?
• Don't we want to just throw some fuzz strings at the app and hope it
returns a 500 error?
– We want to eliminate false positives, because we might not be around to
watch the test execution and dig through it manually (e.g. if this is being
run in a Jenkins gating job)
• Writing test cases is harder than just loading a wordlist into BURP
– Sure, the first time! But once you write some code, you can re-use it over
and over again, and you can define success/failure in a more detailed way
for each test
www.rackspace.com
18
Why Selenium?
• Run tests with real-world browsers, and inspect tests in the browser
if you want
• Flexible test running – you can run tests locally, or spin up a whole
cluster of headless nodes to test in parallel
• Ability to manipulate the page in a more "natural" way with
Selenium, unlike tools that don't emulate or control a browser
• Manipulate the DOM
• Work with JavaScript directly
www.rackspace.com
19
Why Selenium? (Cont'd.)
• Bindings in many languages (Python, Ruby, Java…)
• Catch pop-ups as they occur – this is a great way to verify XSS
• Search the DOM with CSS selectors (similar to jQuery)
• Inject JavaScript, cookies, and browser extensions on-the-fly
www.rackspace.com
20
Why NOT Selenium?
• If you're running thousands of tests, Selenium will take significantly
longer than something like cURL
• If you're just doing HTTP requests and searching for regexes in the
page source code, this can be done much faster by other means
– For this reason, Selenium isn't particularly well-suited to API testing
www.rackspace.com
21
Security Automation Demo!
www.rackspace.com
22
Selenium Grid
• Preinstalled on Vagrant
• SSH into Vagrant Box
– vagrant ssh
• Start Grid
– sudo dsgrid start
• Add Multiple Firefox Nodes
– sudo dsgrid nodes add firefox
– sudo dsgrid nodes add firefox
• Verify Selenium Hub is Running
– http://localhost:49044/grid/console
Run Automation Against the Grid
Instead of this:
Use this:
Reference
• https://w3c.github.io/webdriver/webdriver-spec.html
• http://www.seleniumhq.org/
• https://github.com/cneill/selenium-security-stuff
• OWASP Top Ten Project:
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• SQL injection: https://www.owasp.org/index.php/SQL_Injection
• Cross Site Scripting (XSS): https://www.owasp.org/index.php/Crosssite_Scripting_%28XSS%29
Questions?
[email protected]
[email protected]
THANK YOU
RACKSPACE®
|
1 FANATICAL PLACE, CITY OF WINDCREST
US SALES: 1-800-961-2888
© RACKSPACE LTD.
|
|
US SUPPORT: 1-800-961-4454
|
SAN ANTONIO, TX 78218
|
WWW.RACKSPACE.COM
RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED S TATES AND OTHER COUNTRIES.
|
WWW.RACKSPACE.COM