Should I worry about sending plain text passwords with selenium when testing web applications

Question

I am working on a simple Javascript testing with Selenium Webdriver and Mocha scenario which logs into my production site, clears cache from the UI and thereafter logs out of the site.

I understand that sending plain text passwords over https is quite secure, the traffic is encrypted, making eavesdropping and the like much more difficult as opposed to sending plain-text passwords over HTTP. I am not a security expert however, I believe there are still better approaches one can take to securing passwords even at rest.

My question is does one need to be concerned with sending plain text passwords over https using Selenium Webdriver and Mocha. Is this unsafe at some level that I may fail to see?

  it('clear-cache', async function() {
    // Test name: clear-cache
...
    await driver.get("https://www.thisisarealsite.co.za/user/login")
    await driver.findElement(By.id("edit-name")).click()
    await driver.findElement(By.id("edit-pass")).sendKeys("vhghxxxdxeZxxxC8hiap{")
    await driver.findElement(By.id("edit-name")).sendKeys("admin")
    await driver.findElement(By.id("edit-submit")).click()
...
  })

If you have any recommendations or opinions then please let me know as I am newbie.

Additional Info:

"mocha": "^5.2.0",

"selenium-webdriver": "^4.0.0-alpha.1"

pguardiario · Accepted Answer

It's not plaintext when you send over https. In other words, no. You should, however be concerned about leaving that code in a repo.

Actually, if you use --disable-web-security (which people do) you can potentially be exposed to a MITM attack, but it seems unlikely.

Should I worry about sending plain text passwords with selenium when testing web applications

Answers (2)

Related Questions