Reputation: 1658
How to protect password in Selenium scripts
I am writing selenium (seleno) scripts to test a c# MVC web application which requires users to log in. At the moment the username and password are hard-coded into the script but I need to make sure the password is protected before I can commit the scripts to our code repository.
The scripts will be run autonomously through CI (TeamCity) so the password must be available to the program without any human input.
In terms of security requirements, the password is common knowledge amongst devs but it is also bundled with the software that is deployed to clients (which obviously opens a back door to anyone in possession of the password - for better or for worse). So if someone gains access to our codebase we need to be sure that they cant get at the password. The password itself is stored (salted) in a sqlite database.
If I pass an encrypted value into the program and then decrypt it will that protect us? Im not too bothered about the password being in memory on the server where the test runs as that server should be securely locked down and will only exist for the duration of the tests.
The only other thing I can think of is to insert a temp password into the sqlite database once TeamCity has spun up the temp server instance and before the tests are run. Not sure how to achieve that though.
I would have thought this would be a really common problem with selenium but I havent as yet been able to find a definitive solution.
Upvotes: 1
Views: 4247
Answers (4)
Reputation: 255
Add a password manager extension like bitwarden,keepass etc.., and configure it to auto-login... give 2-3 sec in code to auto-login
Upvotes: 0
Reputation: 1214
The solution is to set your passwords at runtime. I would suggest environment variables. Then they are not in your codebase and instead somebody would need to hack into where you run your tests from.
Upvotes: 1
Reputation: 29
One approach that I have used is to execute javascript to evaluate things:
<td>storeEval</td>
<td>prompt("What password")</td>
<td>secretPassword</td>
That only really works for user run stuff via webdriver though.
You could setup some kind of small ajax request at the start of the test to http://localhost/credentials.json or similar, which is set up on your CI instance (but not available anywhere else).
Upvotes: 0
Reputation: 1658
As SiKing suggests, the solution is to use a temporary, test specific password which wont make it into production code. Simples.
Upvotes: 0
Related Questions
- Best approach to secure user account credentials while using Selenium with Python
- How to enable save passwords using selenium chromedriver
- Selenium/C#: Best way to hide passwords for automation tests?
- hiding your password in java class file for a test case
- How to pass Selenium authentication for testing?
- Securely enter password in textbox using python selenium
- What are some techniques or Frameworks to secure username and password credentials in Selenium Web Automation Testing?
- What are the settings to test a password protected URLin Selenium?
- Selenium - Saving Password
- How to bypass authentication in selenium