Selenium Security Scanner

Transcript

1. Greg Wester @gwestr Perfect Testing Pyramids

2. Perfect UI Testing Pyramid

3. None

4. Building a pyramid base ◦ Test without the DOM ◦

   Load scripts and specs into a raw javascript engine ◦ IE ScriptEngine, Firefox SpiderMonkey, Google V8/D8
5. None
6. None
7. None

8. The new UI automation strategy ◦ Bottom: Script developers write

   javascript unit tests ◦ Middle: Testing with a headless DOM – e.g. Phantom.js ◦ Top: WebDriver is for testing browser compatibility

9. Greg Wester @gwestr Selenium Security Scanner

10. Selenium Driven Vulnerability Scanner ◦ Uses Selenium tests to traverse

    the pages in the app ◦ Captures HTTP request/response in a local proxy ◦ Replays HTTP requests ◦ Fuzzes evil inputs to headers, paramters

11. About Vulnerabilities ◦ Cross Site Scripting (XSS) ◦ XSS can

    be reflected or stored ◦ XSS can happen in the server (common) or DOM (new class of vuln) ◦ Cross Site Request Forgery (CSRF)

12. Start up the local proxy process $> java burp.StartBurp \

    -classpath burp.jar;BurpProxyExtender.jar \ loadconfig=my_config \ asport=8080 \ ashost=your-dev-box \ saveconfig=output_state \ report=new_report.html

13. Start up the selenium proxy $> java –jar selenium.jar \

    -DproxyHost=127.0.0.1 \ -DproxyPort=8888 \ -timeout 120 \ -multiwindow \ -userExtensions sfdcselenium.js \ -Dwebdriver.chrome.driver=/path/to/goog \ -firefoxProfileTemplate

14. Automated Selenium TEst Recorder And Scanner

15. Request test runs

16. Invoke scanners

17. 99 Problems ◦ CSRF tokens expired on replayed requests ◦

    Selenium failures and flappers interrupt the run ◦ Run time doubles even with concurrent requests ◦ Requires a special license from BURP ◦ Need granular runs that feed into the CI loop, Test Failure Mgmt System ◦ Several processes, talk over RMI

18. Greg Wester @gwestr