My current project uses an agile project methodology. As such, we use Selenium to create automated acceptance tests for the project. Focusing on the security aspects of the application we are developing, I had an idea about using Selenium for security testing. Basically, there are a few points that led me to this idea:
- Using Selenium we would perhaps not need to introduce yet another tool into the process, lowering the project’s effort to handle security.
- Using Selenium, security testing could get attention equal to the acceptance tests.
- Selenium tests could perhaps be created to simulate Black Hat activity.
Being a Selenium newbie, I started looking at Selenium to see of it could be used for this purpose. I quickly realised that Selenium out of the box does not have the functionality that is needed. It is, however, easily extensible.
I have found some areas where Selenium has shortcomings when it comes to security testing:
- Session handling: Proper session handling is important when it comes to security, for instance vulnerabilities like session fixture and rights elevation. To enable testing of session handling, Selenium needs functions for inspecting and deleting cookies. Furthermore, if one where to run test suites with tests which involves sessions, these would have to be deleted in between tests to avoid the tests interfering with each other.
- HTTP protocol: Testing which involves inspecting and setting HTTP headers would be an integral part of a security test suite.
- Input validation: Testing that the AUT does proper input validation and/or can handle input out of range would be important. For example, one test that comes to mind is whether the AUT can handle being sent a value that is not a part of an HTML drop down list.
Even though Selenium has shortcomings, I am fairly optimistic that these can be overcome, and I would like to investigate this further. For instance, I have created basic cookie handling routines for Selenium which seems to do the job. (Item 1 above) I will post them on my homepage later (www.kongsli.net). For item 3 above, I have created a method that will dynamically add options to dropdown lists on a page before the page is submitted, making it possible to send parameters out of range to the server. Furthermore, I will look into AJAX related techniques to handle item 2 above, possibly using the Dojo framework.