Automated security testing with IBM Security AppScan Enterprise 8.7 and Selenium IDE
This article is intended for development professionals who want to improve the security of their code, whether they want to become a more well-rounded developer or to pass gateways for code deployment to upper environments. In addition, quality assurance (QA) professionals may provide a means to test code during functional testing, which is particularly effective for discovering vulnerabilities in code other security testing methods do not expose. By leveraging Selenium IDE with IBM Security AppScan Enterprise, this process becomes automated and, therefore, simplified. Overall, the software development life cycle (SDLC) is improved.
Selenium IDE is an automation tool for web application testing. You install it as a Mozilla Firefox browser plug-in, where it provides an easy-to-use user interface (UI) for recording functional tests.
Installing Selenium IDE
Installation of Selenium IDE is simple: From the download site (see Related topics for a link), beneath Selenium IDE, select the latest download (see Figure 1). The current tag as of this writing is 2.4.0, released on 16 September 2013. Install the plug-in, then allow Firefox to restart.
Figure 1. Selenium IDE installation
Using Selenium IDE: Create a test case
Now, create a simple test case with Selenium IDE using an IBM AltoroMutual site traversal. To do so, complete the following steps:
- Invoke the Firefox browser and Selenium IDE plug-in:
- Go to the AltoroMutual website login page.
- From the Firefox menu, click Tools > Selenium IDE.
- Make certain the Base URL in Selenium IDE
matches the Firefox browser URL:
- Make certain that Selenium IDE is recording by verifying that the red record button at the right is enabled.
- Begin your session on AltoroMutual:
- From Firefox, log in to the AltoroMutual site using the following
- User name: jsmith
- Password: Demo1234
- Click Login.
- From Firefox, log in to the AltoroMutual site using the following credentials:
- Perform a site traversal:
- On the landing page (main.aspx), you see the welcome Hello John Smith and the View Account Details field prepopulated with the value 1001160140 Checking, as listed in Table 1. Click Go to proceed.
- On the Account History page (account.aspx), note that the Balance Detail field is prepopulated with the value 1001160140 Checking.
- From the drop-down menu, change this value to 1001160141 Savings, as shown in Table 1, then click Select Account.
- Click the Transfer Funds link in the left pane.
- On the Transfer Funds page (transfer.aspx),
transfer 100.50 from Checking to Savings, then
click Transfer Money.
You see a confirmation message in red text that the transfer was successful.
- Click the Contact Us link at the top of page.
- Beneath the heading E-mail, click the online form link, which takes you to the Feedback (feedback.aspx) page.
- Fill in the form fields with the values shown in Table 1,
then click Submit.
A text message reads Thank You.
- Click the Sign Off link, and proceed to the next step. Do not close Firefox.
- From the Selenium IDE UI, perform the following steps:
- Click the red record button at the right to stop recording.
- From the overhead menu, click File > Save As, name the file Altoro-Mutual-Test-Case, and save.
- Close Selenium IDE and quit Firefox.
Table 1. Site traversal reference: Tags, fields, and input values
|main.aspx||View Account Details||1001160140 Checking||Go|
|account.aspx||Balance Detail||1001160141 Savings||Select Account|
|transfer.aspx||From Account||1001160140 Checking|
|To Account||1001160141 Savings|
|Amount To Transfer||100.50||Transfer Money|
|feedback.aspx||Your Name||John Smith|
|Your Email Addressemail@example.com|
|Question/Comments||Please call me at 303.222.1000||Submit|
IBM Security AppScan Enterprise Manual Explorer Tool
Manual Explorer Tool is a feature within IBM Security AppScan Enterprise 8.7. You download it from the IBM Security AppScan Enterprise console and install it as a Windows® executable file. It actually functions as a proxy, allowing you to record traffic and save it in the IBM Security AppScan Enterprise format .htd. After it is saved, the traffic file can be directly imported to scan jobs using the IBM Security AppScan Enterprise console.
Installing the Manual Explorer tool
To install the tool, simply log in to the IBM Security AppScan Enterprise console and create or edit a scan job. Complete the following steps to download and install the tool to your local machine:
- Download the Manual Explorer tool:
- Log in to the IBM Security AppScan Enterprise console, and create a new scan job.
- Under EXPLORE, click the What to Scan link.
- For the Starting URL, enter http://demo.testfire.net/bank/login.aspx. Click Add, then click Apply.
- Under Manual Explorer, proceed as if to perform
a manual explore using the plug-in, but instead select the
Use manual explorer tool or AppScan Standard explore
data file option, as shown in Figure 2.
Figure 2. Downloading the Manual Explorer tool
- Click the Download link, and save the Manual Explorer tool executable to your local machine.
- Click Cancel at the bottom right, then click Save to save your scan job for later use.
- Invoke the installer for ManualExplorerSetup.exe, and follow the prompts to install it locally.
See Figure 3.
Figure 3. The Manual Explorer tool installer
- Configure the Manual Explorer tool:
- Invoke the Manual Explorer tool.
Note that it is a small, simple interface with a Record button.
- Click File > Preferences.
- Set the browser preference to Firefox.
- Leave the port at the default 9999.
- Invoke the Manual Explorer tool.
Capture Selenium IDE test case traffic with the Manual Explorer tool
You now have a test case recorded using Selenium IDE and a means to capture HTTP traffic using the Manual Explorer. In this procedure, you execute your recorded test case against the proxy provided in the form of the Manual Explorer tool, recording the HTTP traffic and saving it in the format the IBM Security AppScan console expects to import for scan jobs.
Capturing Selenium IDE traffic using the Manual Explorer
Complete the following steps to use the Manual Explorer tool to capture a traffic file of your test case, as shown in Figure 4.
Figure 4. Capturing test case traffic with Manual Explorer
- Invoke the Manual Explorer tool:
- From the Windows Start menu, click Programs > IBM Security AppScan Manual Explorer.
- Click Record.
Note the pop-up window indicating that the proxy is listening on port 9999.
- A Firefox browser instance is instantiated.
Manual Explorer automatically sets up Firefox to use a proxy on port 9999.
- Invoke Selenium IDE:
- From the Firefox browser window that Manual Explorer instantiated, click Tools > Selenium IDE.
- From Selenium IDE, click File > Open, and
then choose your Selenium IDE test case, saved as
You will see the test case load in the left pane.
- Click Play Current Test Case to execute the test
Note that Firefox runs through the sequence of steps on the AltoroMutual website just as recorded in the test case.
- Do not close the browser window or the Selenium IDE UI.
Saving traffic files
The following procedure illustrates how to properly save your newly created traffic file:
- Close the Selenium IDE UI.
- Close the Firefox browser window.
- When prompted, save the Manual Explore traffic file, as shown in
Figure 5. Saving the traffic file
The file type is displayed as Http Traffic Data (*.htd).
- Name the file Altoro-Mutual-Traffic, then click Save.
- Close the Manual Explore tool.
Executing a scan job using the Selenium IDE test case
The following procedure illustrates how to import the HTTP traffic file representing your Selenium IDE test case into a scan job for execution.
Import the traffic file as a scan job
Upload the newly created traffic file to IBM Security AppScan Enterprise using the console:
- Log on to the IBM Security AppScan Enterprise console and edit your scan job.
- Under EXPLORE, click the What to Scan link.
- Under Manual Explore, proceed as if you were performing a manual explore using the plug-in, but instead select the Use manual explore tool or AppScan Standard explore data file option.
- Click Choose File, and select the traffic file Altoro-Mutual-Traffic.htd from your local machine.
- Click Import.
The Manually Explored URLs page appears, as shown in Figure 6.
Figure 6. Manual Explorer URLs
- Click Save.
The Automatic Form Fill Fields page appears.
- Click Save.
You now have saved your traffic file from the Manual Explorer tool in the scan job content for manually explored URLs.
So what's the point?
Security testing is now integrated into the SDLC. QA testers can leverage Selenium IDE to run their test cases and while doing so perform security checks inside the process. This means that the organization's security team will have more time to spend actually addressing the vulnerabilities and spend less time on the administrative tasks associated with running web application scans. It also means that the organization will benefit from a more comprehensive sweep of web applications for security vulnerabilities, resulting in a greatly decreased vulnerability footprint.
Figure 7 illustrates the issues discovered from the Selenium IDE test case.
Figure 7. Scan job security issues
This article explained how to couple automated functional testing of web applications with DAST in few manual steps. Selenium IDE is an enabling technology for QA testers and developers that allows recording of functional test sessions in the web application for future replay. Instead of having to manually test the web application functions every time a change is made, you can simply run the Selenium IDE test case again. Further, you can create multiple functional tests with Selenium IDE and execute them in order as an entire test suite. This is a powerful tool for automation.
- Read the article IBM Security AppScan Enterprise 8.7 now available for more information about this latest release.
- Check out the developerWorks article "Introduction to Manual Explorer in IBM Security AppScan Enterprise 8.7" (developerWorks, May 2013) and get to know more about the Manual Explore tool in version 8.7.
- Find more information on Selenium ID at the official Selenium site , including detailed documentation.
- Visit the Security On developerWorks blog to learn about new security-related how-to guides, articles, and demo videos.
- Follow @dwsecurity to get updates from the developerWorks security zone in real time.
- Download Selenium IDE.
- Download a product trial of IBM Security AppScan Enterprise 8.7.