I'm in search of a method to test multiple roles of an application with a browser. For this question, I need solutions for interactive operation, user assumed to being signed-in.
Target OS would be primarily OS X, but please provide Windows solutions too.
All browsers I'm aware of, store cookies centralized in a browser. If I'm signed-in to a web-app with say role A and then sign-in as role B, role A gets hidden - because most web-apps share a single session token, which identifies user's role.
Do solutions exist, to test two roles in parallel in a browser? A browser, which has different separated identities?
Due to certain reasons, opening two different browsers wouldn't be an option.
Since you're on a Mac, you can use open -n /Applications/BrowserName.app for whichever browser you want (though newer versions of Firefox apparently require slightly more work: https://superuser.com/questions/396434/how-to-open-a-new-firefox-window-with-terminal). This command will open an entirely new instance of the browser each time you run it.
Depending on how you're testing, you may want to clear cookies on browser close, though cookies shouldn't interfere while the browsers are running. (Not tested.)
Just found this:
Firefox has a feature named Profiles. Using Firefox' command line arguments, one can create multiple separated profiles:
E.g. on OS X, the Firefox' Profile Manager opens using this command:
/Applications/Firefox.app/Contents/MacOS/firefox-bin -ProfileManager
To have two different Firefox instances run with different profiles on OS X, one needs to create a copy of the Firefox application.
Still, I'd be happy to learn of solutions for other browsers. Or integrated solution, which doesn't force me to copy the browser app.
Related
I was wondering if anyone had more information on what the specific risks for using chromedriver as was concerned by this statement.
"If possible, run ChromeDriver with a test account that has no access to sensitive local or network data. ChromeDriver should never be run with a privileged account."
Would like to know what the specific risks are when using a privileged account and what if any preventative measures can be taken to protect against them.
Thank you in advance!
How Google Chrome Browser Works
In the article Chrome Browser Security #STEPHANIE CRAWFORD mentioned, Google has leveraged its power as a search engine by creating its Safe Browsing technology which will automatically warn you if Chrome detects that a site you're visiting contains malware or phishing.
Chrome deploys this security measure through a unique security feature termed as Sandboxing. Sandboxing implies, separating each process out into independent spaces to see how they function individually. Chrome handles its workload as a series of multiple processes rather than as part of one large browser process. Each time you open a Web page, Chrome launches one or more new processes to run the scripts on that page. Also, each Chrome extension and app runs in its own process. Chrome implements sandboxing through its multi-process architecture. The security advantage in sandboxing comes with Chrome being able to control the access token for each process. These access token for a process allows that process access to important information about your system, like its files and registry keys. Chrome intercepts each access token from the processes launched from the browser, and it modifies that token to limit its access to that information. So, Chrome's sandboxing helps block web pages that try to install malware, capture your personal information or obtain data from your hard drive. The drawback of sandboxing is that, it can't catch everything. A sandboxed process might still be able to access less secure file systems. It's also likely to miss protecting registry keys and files managed by third party software, like a game or chat program that isn't native to the system.
WebDriver driven Chrome
While initiating a WebDriver controled Chrome Browsing Context using Selenium recently we had been advocating to use a certain command line argument:
--no-sandbox: Disables the sandbox for all process types that are normally sandboxed.
See:
WebDriverException: unknown error: DevToolsActivePort file doesn't exist while trying to initiate Chrome Browser
How to configure ChromeDriver to initiate Chrome browser in Headless mode through Selenium?
unknown error: session deleted because of page crash from unknown error: cannot determine loading status from tab crashed with ChromeDriver Selenium
No Sandbox
There are a couple of more Sandbox related flags available which enables the sandboxed processes to run without a job object assigned to them. This flag is required to allow Chrome to run in RemoteApps or Citrix. This flag can reduce the security of the sandboxed processes and allow them to do certain API calls like shut down Windows or access the clipboard. Also we lose the chance to kill some processes until the outer job that owns them finishes.
--allow-no-sandbox-job: Disables usage of sandbox job.
--allow-sandbox-debugging: Allows debugging of sandboxed processes.
--disable-gpu-sandbox: Disables the GPU process sandbox.
--disable-namespace-sandbox: Disables usage of the namespace sandbox.
--disable-seccomp-filter-sandbox: Disable the seccomp filter sandbox (seccomp-bpf) (Linux only).
--disable-setuid-sandbox: Disable the setuid sandbox (Linux only).
--disable-win32k-lockdown: Disables the Win32K process mitigation policy for child processes.
--enable-audio-service-sandbox: enable the audio service sandbox.
--gpu-sandbox-allow-sysv-shm: Allows shmat() system call in the GPU sandbox.
--gpu-sandbox-failures-fatal: Makes GPU sandbox failures fatal.
--no-sandbox-and-elevated: Disables the sandbox and gives the process elevated privileges (Windows only).
Sandbox
Sandbox leverages the OS-provided security to allow code execution that cannot make persistent changes to the computer or access information that is confidential. The architecture and exact assurances that the sandbox provides are dependent on the operating system.
windows implementation principles:
Do not re-invent the wheel: It is tempting to extend the os kernel with a better security model. Don't. Let the operating system apply its security to the objects it controls. On the other hand, it is just okay to create application-level objects (abstractions) that have a custom security model.
Principle of least privilege: This should be applied both to the sandboxed code and to the code that controls the sandbox. In other words, the sandbox should work even if the user cannot elevate to super-user.
Assume sandboxed code is malicious code: For threat-modeling purposes, we consider the sandbox compromised (that is, running malicious code) once the execution path reaches past a few early calls in the main() function. In practice, it could happen as soon as the first external input is accepted, or right before the main loop is entered.
Be nimble: Non-malicious code does not try to access resources it cannot obtain. In this case the sandbox should impose near-zero performance impact. It's ok to have performance penalties for exceptional cases when a sensitive resource needs to be touched once in a controlled manner. This is usually the case if the OS security is used properly.
Emulation is not security: Emulation and virtual machine solutions do not by themselves provide security. The sandbox should not rely on code emulation, code translation, or patching to provide security.
linux implementation
macos implementation
Do you know any webapps/online tests/online firewalls that are trying to detect if user is using selenium/puppeteer/phantomJS or any other headless browser?
I've created my puppeteer online crawler. I've changed many different stuff like window.navigator object (user-agent, ~.webdriver etc.).
Now I want to make sure that it is undetectable.
There is a headless browser detection test which tests for the following:
Does the User-Agent contain the string "HeadlessChrome"?
Is navigator.webdriver set?
Is window.chrome unset?
Does the browser skip asking for permissions (like notifications)?
Are browser plugins unavailable?
Is navigator.languages unset?
If your browser answers any of these questions with yes, then you fail the test. For more information on the test, check out this post, which is a reply to a post called "Detecting Chrome headless, new techniques".
The author of the latter post also published another test test (code), which claims to be able to detect bots and crawlers. It performs various tests on browser attributes and generates a fingerprint of your browser.
Other "soft" tests done by websites, might include the mouse movement, scrolling behavior, IP address, etc. I doubt you will find many tests regarding these information as this is basically a cat-and-mouse game.
I was asked a question :
Assume I have 4 machines and I need to execute a script in all the machines across all the browsers. How will I achieve that.
I told him the concept of Selenium Grid, where in we could set up a machine which acts like a hub, configure 3 more machines which would act like a node.
Using Desired Capabilities among others we could choose a browser type and version type in that and write a script.
But he asked me two things :
IN all the node machines how do you configure the Windows username and Password if the machine is locked. Can you write windows Authentication in the script.
Can I achieve testing different browser versions of same browser type in a single node?
Can I pass as a the browser type and browser version as a parameter
from hub to the node?
Can someone throw some light on these as I was unable to answer. Thanks.
Question 1: Is it really necessary for the machine to be unlocked for the test to start? The selenium node is a background process that listens for commands, and executes them on the browser, so I do not think this is necessary. If it is necessary due to your specific windows settings however, then no, you cannot do this from the selenium script obviously.
Question 2: Yes, you can test different browser versions of the same type on the same node. You can pass the browser name and version to the node. However, keep in mind that the node cannot know the location of the different browser versions, so you will also have to supply the path to the browser executable for your requested version
I'm trying to test a scenario where two separate users are logged in. As the question states, is this possible with Selenium? I don't if it's browser dependent, but I'm using Chrome.
Selenium (web driver) allows to open several browser windows (e.g. 3 Firefox windows or 1 IE + 1 Firefox +1 Chrome).
In you code you have API to select the desired window (depending how on how you opened it).
Regarding the session handling: that depends on the browser type. Firefox will share the session across multiple windows because it's using a single process. AFAIK IE and Chrome if opened as new processes will not share it, but this of course depends also on how the server is setting the cookie policy for the session.
Access to cookie values in the browser however is domain dependent, so a persistent cookies or local storage can share information even across sessions, so it really depends on how the web application is implemented (or what framework is using - that mostly takes care of such stuff).
If you want complete separation, then take a look at Selenium Grid;https://code.google.com/p/selenium/wiki/Grid2
This would allow you to have the browsers open on different computers while running the test on one machine
I'm writing a suite of applications that all require login to a server. It's come together quite nicely, but I've run into a logistic snag. The nature of the applications require that they be closed and launched again later with some frequency. It is very annoying to have to login every time one of the applications needs to launch.
I'm trying to think of a secure way of perhaps having the login information stored on the local user's machine. Is there a good way to even go about that? Permissions protected config files? The registry? How does Firefox store its passwords? Have you ever had to do something like this?
The suite is more of a protocol than anything, all the applications are written in a variety of languages (Python, C#, Java, etc) and run on a variety of operating systems (Windows, Linux, OSX, etc). I'm not really looking for code examples, but more just general approaches to this problem. Is it wise to have locally stored passwords? How can you have a session login for a suite with such disparate components? Right now I use application.rc config files stored locally to each application, but they are plain text and far from secure.
I'm going with Jeff on this one and assuming that since you mention the registry, you're referring to Windows. I'm also going to assume that you're talking about a desktop application (otherwise you could just use the builtin browser cookies to store the user's session).
Off the top of my head, I'd engineer the application so that when the user logs in to the server, the server returns a unique session id that identifies the authenticated user. I would then store than id along with an salted/encryped timestamp (which gives you the option of expiring the cached credentials).
The storage mechanism is up to you. You could store them in the HKEY_LOCAL_USERS section of the windows registry, or the Application Data folder in Windows. Both give you the option of user segmented storage.
Typically, this sort of thing is done by use of a "cookie"; a key which (securely) indicates that the user has successfully previously logged in to the server resource. This is how most web sites manage login information, and Firefox (all browsers, really) store the cookies that the browsers set on the user login. A few important things about cookies: they should be encrypted, to assure that malicious programs cannot generate one and thereby bypass the login process, they should match to server-kept resources (same reason), and they should age out, so that while you can maintain login information on a site for a while, your login information is not permanent (which is another security hole).
Personally I would use an encrypted local config file with some sort of an ID value of the machine (motherboard ID, Chip ID, HD ID etc) as part of the encryption key so that the config file cant be just copied from one machine to another. I would also include the date and time so you can expire it when you decide it gets stale.
Alternatively, you can create a host exe or launcher that does the log in and then goes to sleep and wake it up each time you want to launch a new application. The host exe would take the application as a parameter and decide whether or not to ask for login credentials (usually when the first app is started and then keep the login user and an encrypted password in memory. When the host exe has exited the login info is forgotten and when you start up again the cycle starts over.)
Tomcat 6 supports persistence/replication of sessions, so you should care about choosing the manager and configure it ;-)
More info: http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html