Does Selenium IDE subverts the Firefox Plugin security ?
126 views
Skip to first unread message
OSUserNYC
May 13, 2015, 9:55:12 AM5/13/15
to selenium-...@googlegroups.com
Hi All,
Our firms security team has express concern that Selenium IDE can to bypass
Firefox security mechanism i.e end user might be able to install other
third party plugins etc.
My initial review after installing the plugin is that Selenium IDE acts
'normally' as any other regular Firefox plugin.
Can any maintainer of IDE can express their views on this topic? This will
help to alleviate the concerns of our security team
Best regards
Our firms security team has express concern that Selenium IDE can to bypass
Firefox security mechanism i.e end user might be able to install other
third party plugins etc.
My initial review after installing the plugin is that Selenium IDE acts
'normally' as any other regular Firefox plugin.
Can any maintainer of IDE can express their views on this topic? This will
help to alleviate the concerns of our security team
Best regards
Andreas Tolfsen
May 13, 2015, 10:07:41 AM5/13/15
to selenium-...@googlegroups.com
On 13 May 2015, at 14:47, OSUserNYC <OSUs...@gmail.com> wrote:
> Our firms security team has express concern that Selenium IDE can to bypass
> Firefox security mechanism i.e end user might be able to install other
> third party plugins etc.
>
> My initial review after installing the plugin is that Selenium IDE acts
> 'normally' as any other regular Firefox plugin.
As far as I know, IDE itself is not any different from any other plugins, although it’s obviously not security-reviewed by Mozilla.
> Our firms security team has express concern that Selenium IDE can to bypass
> Firefox security mechanism i.e end user might be able to install other
> third party plugins etc.
>
> My initial review after installing the plugin is that Selenium IDE acts
> 'normally' as any other regular Firefox plugin.
During test runtime, all of Selenium RC, WebDriver, and IDE bypass various security mechanisms. In fact, many of the WebDriver implementations goes a step further and gives you access to browser internals.
For this reason you shouldn’t run your Selenium servers on a public IP range, you should ensure to bind only to the local network interface, and protect your IP subnet.
In practice this isn’t usually a problem since you run your tests against temporary browser profiles and inside a firewall.
> Can any maintainer of IDE can express their views on this topic? This will
> help to alleviate the concerns of our security team
osus...@gmail.com
May 18, 2015, 12:48:45 PM5/18/15
to selenium-...@googlegroups.com
Thanks ato.
It will be nice to have a comment from an IDE commiter on this.
It will be nice to have a comment from an IDE commiter on this.
David Burns
May 19, 2015, 12:45:27 PM5/19/15
to selenium-...@googlegroups.com, selenium-...@googlegroups.com
Hi,
Disclosure: I am a platform engineer at Mozilla and selenium committer.
All Firefox addons have the ability to circumvent Firefox security controls if they really wanted to be malicious. The IDE speaks to the content page and getting the result. There are no exposed APIS to content pages and no mechanisms for external machines to speak the IDE with out the IDE having been tampered with beforehand.
I would be worried about other security issues with malicious pages than hypothetical security issues with the IDE.
David
--
You received this message because you are subscribed to the Google Groups "Selenium Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to selenium-develo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/selenium-developers/loom.20150513T154408-333%40post.gmane.org.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages