Automated security testing using Selenium

Question

I am trying to figure out scenarios for different web application security testing approaches with Selenium WebDriver. I am aware of XSS and SQL injection but have not tried executing such tests with Selenium. Although Selenium is supposed to be used as a UI functional test automation tool, I feel that we can use it to test some security aspects of a website too.

My questions are:
1. Has anyone worked on automated security testing of web apps using Selenium? Can you please share your experiences or ways you achieved it using Selenium?
2. What could be possible security testing from web UI I could perform using Selenium as my tool?

Answer 1

Automated or Manual Security testing using OWASP-ZAP involves below 3 steps: 1. Enabling ZAP - ZAP will do XSS & SQL injections 2. Kick-off regression tests (any UI automation tool you would like say Selenium, Nightwatch.js, Protractor etc.). Explore the AUT(Application under test) as much as possible so that ZAP can proxy all the URL's. 3. Run the ZAP python script which will capture the result/report

Please go through below Github URL. I have implemented automated security tests using OWASP-ZAP and Nightwatch.js. Similar can be done with Selenium. Please go through Readme.doc.

https://github.com/AmitKulkarni9/Automated-Security-Penetration-Testing

regards, Amit

Answer 2

Check out this tool for security testing, designed using Selenium: OWASP Xelenium Project

Answer 3

First thing you should understand about Selenium is: it's primarily a GUI automation tool and should be used in similar context.

Now considering your requirement and as mentioned above, it can be used to insert XSS scripts and validate their behaviour on UI, as well as SQL injection scripts. However, I would suggest, as a part of security testing you should definitely look forward to using some specialized tools like the one provided by whitehat and all which will help you deal with web security vulnerabilities in a better way.