File:OWASP London 14-Jan-2009 Penetration Testing with Selenium-Yiannis Pavlosoglou v2.pdf

Penetration Testing with Selenium:

Selenium is a web application testing framework often used for unit testing and functional testing during the later parts of web application development. This presentation examines how this tool, in particular the Selenium IDE, can be used for creating security unit tests. By emulating a systematic logon, logoff or browse to a particular location, web application penetration tests can be performed using Selenium. Furthermore, fuzzing payloads can be scripted as inputs for security tests. As a result, issues of holding state, or having valid authentication credentials to test a particular input for, say, Cross Site Scripting (XSS) or SQL Injection can be performed in a much shorter time duration. This presentation will take the audience through the process of setting up, scripting and running Selenium against a vulnerable web application. It's aim is to relay back one successful approach that has been used in the field in order to discover vulnerabilities through stateful fuzzing.