Automated security testing with IBM Security AppScan Enterprise 8.7 and Selenium IDE

Learn how quality assurance testers seeking increased automation within the software development life cycle can leverage IBM® Security AppScan® Enterprise and the Selenium IDE browser plug-in for Firefox to include dynamic application security testing in their functional tests.

Share:

Robert Wells (robert.wells@wlfpktek.com), Security Advisor, WolfPack Technologies

Photo of Robert WellsRobert Wells is an IT professional with more than 25 years of progressive experience in security architecture and design of complex security solutions. Robert has served in lead technical roles for projects requiring cross-vendor best-of-breed product knowledge, demonstrating broad technical experience with a variety of security products, including DAST, GRC, SCA, DLP, SIEM, and anti-fraud. Robert designs and delivers quality technical solutions to offer high-value ROI for clients seeking to leverage technology in the security space.



02 December 2013

Detecting Advanced Persistent Threats

Application scanning is one component of endpoint management and protection against advanced persistent threats. Learn about the comprehensive strategies for risk mitigation using IBM Endpoint Manager by reading "Proactive Response to Today's Advanced Persistent Threats."

This article is intended for development professionals who want to improve the security of their code, whether they want to become a more well-rounded developer or to pass gateways for code deployment to upper environments. In addition, quality assurance (QA) professionals may provide a means to test code during functional testing, which is particularly effective for discovering vulnerabilities in code other security testing methods do not expose. By leveraging Selenium IDE with IBM Security AppScan Enterprise, this process becomes automated and, therefore, simplified. Overall, the software development life cycle (SDLC) is improved.

Selenium IDE

Selenium IDE is an automation tool for web application testing. You install it as a Mozilla Firefox browser plug-in, where it provides an easy-to-use user interface (UI) for recording functional tests.

Installing Selenium IDE

Installation of Selenium IDE is simple: From the download site (see Resources for a link), beneath Selenium IDE, select the latest download (see Figure 1). The current tag as of this writing is 2.4.0, released on 16 September 2013. Install the plug-in, then allow Firefox to restart.

Figure 1. Selenium IDE installation
Image showing Selenium IDE plug-in installation

Click to see larger image

Figure 1. Selenium IDE installation

Image showing Selenium IDE plug-in installation

Using Selenium IDE: Create a test case

Now, create a simple test case with Selenium IDE using an IBM AltoroMutual site traversal. To do so, complete the following steps:

Warning

From the landing page, you will traverse several site pages, listed in Table 1, entering various values in input fields and performing various actions. It is imperative that you follow along with Table 1 as you perform the traversal.

  1. Invoke the Firefox browser and Selenium IDE plug-in:
    1. Go to the AltoroMutual website login page.
    2. From the Firefox menu, click Tools > Selenium IDE.
    3. Make certain the Base URL in Selenium IDE matches the Firefox browser URL: http://demo.testfire.net/bank/login.aspx.
    4. Make certain that Selenium IDE is recording by verifying that the red record button at the right is enabled.
  2. Begin your session on AltoroMutual:
    1. From Firefox, log in to the AltoroMutual site using the following credentials:
      • User name: jsmith
      • Password: Demo1234
    2. Click Login.
  3. Perform a site traversal:
    1. On the landing page (main.aspx), you see the welcome Hello John Smith and the View Account Details field prepopulated with the value 1001160140 Checking, as listed in Table 1. Click Go to proceed.
    2. On the Account History page (account.aspx), note that the Balance Detail field is prepopulated with the value 1001160140 Checking.
    3. From the drop-down menu, change this value to 1001160141 Savings, as shown in Table 1, then click Select Account.
    4. Click the Transfer Funds link in the left pane.
    5. On the Transfer Funds page (transfer.aspx), transfer 100.50 from Checking to Savings, then click Transfer Money.

      You see a confirmation message in red text that the transfer was successful.

    6. Click the Contact Us link at the top of page.
    7. Beneath the heading E-mail, click the online form link, which takes you to the Feedback (feedback.aspx) page.
    8. Fill in the form fields with the values shown in Table 1, then click Submit.

      A text message reads Thank You.

    9. Click the Sign Off link, and proceed to the next step. Do not close Firefox.
  4. From the Selenium IDE UI, perform the following steps:
    1. Click the red record button at the right to stop recording.
    2. From the overhead menu, click File > Save As, name the file Altoro-Mutual-Test-Case, and save.
  5. Close Selenium IDE and quit Firefox.
Table 1. Site traversal reference: Tags, fields, and input values
TagFieldInput valueAction
main.aspxView Account Details1001160140 CheckingGo
account.aspxBalance Detail1001160141 SavingsSelect Account
transfer.aspxFrom Account1001160140 Checking
To Account1001160141 Savings
Amount To Transfer100.50Transfer Money
feedback.aspxYour NameJohn Smith
Your Email Addressjohn@ibm.com
SubjectNew Account
Question/CommentsPlease call me at 303.222.1000Submit

IBM Security AppScan Enterprise Manual Explorer Tool

Manual Explorer Tool is a feature within IBM Security AppScan Enterprise 8.7. You download it from the IBM Security AppScan Enterprise console and install it as a Windows® executable file. It actually functions as a proxy, allowing you to record traffic and save it in the IBM Security AppScan Enterprise format .htd. After it is saved, the traffic file can be directly imported to scan jobs using the IBM Security AppScan Enterprise console.

Installing the Manual Explorer tool

To install the tool, simply log in to the IBM Security AppScan Enterprise console and create or edit a scan job. Complete the following steps to download and install the tool to your local machine:

  1. Download the Manual Explorer tool:
    1. Log in to the IBM Security AppScan Enterprise console, and create a new scan job.
    2. Under EXPLORE, click the What to Scan link.
    3. For the Starting URL, enter http://demo.testfire.net/bank/login.aspx. Click Add, then click Apply.
    4. Under Manual Explorer, proceed as if to perform a manual explore using the plug-in, but instead select the Use manual explorer tool or AppScan Standard explore data file option, as shown in Figure 2.
      Figure 2. Downloading the Manual Explorer tool
      Image showing how to download the Manual Explorer tool

      Click to see larger image

      Figure 2. Downloading the Manual Explorer tool

      Image showing how to download the Manual Explorer tool
    5. Click the Download link, and save the Manual Explorer tool executable to your local machine.
    6. Click Cancel at the bottom right, then click Save to save your scan job for later use.
  2. Invoke the installer for ManualExplorerSetup.exe, and follow the prompts to install it locally. See Figure 3.
    Figure 3. The Manual Explorer tool installer
    Image showing the Manual Explorer tool installer
  3. Configure the Manual Explorer tool:
    1. Invoke the Manual Explorer tool.

      Note that it is a small, simple interface with a Record button.

    2. Click File > Preferences.
    3. Set the browser preference to Firefox.
    4. Leave the port at the default 9999.

Capture Selenium IDE test case traffic with the Manual Explorer tool

You now have a test case recorded using Selenium IDE and a means to capture HTTP traffic using the Manual Explorer. In this procedure, you execute your recorded test case against the proxy provided in the form of the Manual Explorer tool, recording the HTTP traffic and saving it in the format the IBM Security AppScan console expects to import for scan jobs.

Capturing Selenium IDE traffic using the Manual Explorer

Complete the following steps to use the Manual Explorer tool to capture a traffic file of your test case, as shown in Figure 4.

Figure 4. Capturing test case traffic with Manual Explorer
Image showing Manual Explorer capturing test case traffic

Click to see larger image

Figure 4. Capturing test case traffic with Manual Explorer

Image showing Manual Explorer capturing test case traffic
  1. Invoke the Manual Explorer tool:
    1. From the Windows Start menu, click Programs > IBM Security AppScan Manual Explorer.
    2. Click Record.

      Note the pop-up window indicating that the proxy is listening on port 9999.

    3. A Firefox browser instance is instantiated.

      Manual Explorer automatically sets up Firefox to use a proxy on port 9999.

  2. Invoke Selenium IDE:
    1. From the Firefox browser window that Manual Explorer instantiated, click Tools > Selenium IDE.
    2. From Selenium IDE, click File > Open, and then choose your Selenium IDE test case, saved as Altoro-Mutual-Test-Case earlier.

      You will see the test case load in the left pane.

    3. Click Play Current Test Case to execute the test case.

      Note that Firefox runs through the sequence of steps on the AltoroMutual website just as recorded in the test case.

    4. Do not close the browser window or the Selenium IDE UI.

Saving traffic files

The following procedure illustrates how to properly save your newly created traffic file:

  1. Close the Selenium IDE UI.
  2. Close the Firefox browser window.
  3. When prompted, save the Manual Explore traffic file, as shown in Figure 5.
    Figure 5. Saving the traffic file
    Image showing how to save the traffic file

    The file type is displayed as Http Traffic Data (*.htd).

  4. Name the file Altoro-Mutual-Traffic, then click Save.
  5. Close the Manual Explore tool.

Executing a scan job using the Selenium IDE test case

The following procedure illustrates how to import the HTTP traffic file representing your Selenium IDE test case into a scan job for execution.

Import the traffic file as a scan job

Upload the newly created traffic file to IBM Security AppScan Enterprise using the console:

  1. Log on to the IBM Security AppScan Enterprise console and edit your scan job.
  2. Under EXPLORE, click the What to Scan link.
  3. Under Manual Explore, proceed as if you were performing a manual explore using the plug-in, but instead select the Use manual explore tool or AppScan Standard explore data file option.
  4. Click Choose File, and select the traffic file Altoro-Mutual-Traffic.htd from your local machine.
  5. Click Import.

    The Manually Explored URLs page appears, as shown in Figure 6.

    Figure 6. Manual Explorer URLs
    Image showing Manual Explorer URLs

    Click to see larger image

    Figure 6. Manual Explorer URLs

    Image showing Manual Explorer URLs
  6. Click Save.

    The Automatic Form Fill Fields page appears.

  7. Click Save.

You now have saved your traffic file from the Manual Explorer tool in the scan job content for manually explored URLs.


So what's the point?

Security testing is now integrated into the SDLC. QA testers can leverage Selenium IDE to run their test cases and while doing so perform security checks inside the process. This means that the organization's security team will have more time to spend actually addressing the vulnerabilities and spend less time on the administrative tasks associated with running web application scans. It also means that the organization will benefit from a more comprehensive sweep of web applications for security vulnerabilities, resulting in a greatly decreased vulnerability footprint.

Figure 7 illustrates the issues discovered from the Selenium IDE test case.

Figure 7. Scan job security issues
Image showing scan job results

Click to see larger image

Figure 7. Scan job security issues

Image showing scan job results

Conclusion

This article explained how to couple automated functional testing of web applications with DAST in few manual steps. Selenium IDE is an enabling technology for QA testers and developers that allows recording of functional test sessions in the web application for future replay. Instead of having to manually test the web application functions every time a change is made, you can simply run the Selenium IDE test case again. Further, you can create multiple functional tests with Selenium IDE and execute them in order as an entire test suite. This is a powerful tool for automation.

Resources

Learn

Get products and technologies

Discuss

  • Get involved in the developerWorks Community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Security on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Security
ArticleID=955676
ArticleTitle=Automated security testing with IBM Security AppScan Enterprise 8.7 and Selenium IDE
publish-date=12022013