Re: Security issues in Selenium

[Arran]

No.

On Thursday, 21 March 2013 13:59:37 UTC, Yossi Hassan wrote:

Hey all

I'm new to Selenium and wanted to know if any of you familiar with any Known security issues in Selenium?

Thanks

[Peter van der Leek]

I recently discovered that Selenium has a function to do a native key press (“keyUpNative”) which will basically send a keycode to Windows. The application that has focus at that very moment receives the keycode.

So this doesn’t necessarily have to be the browser under test…

 

I would consider that a security issue, and am wondering how you feel about that.

 

Kind regards,

Peter van der Leek

 

--
You received this message because you are subscribed to the Google Groups "Selenium Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to selenium-user...@googlegroups.com.
To post to this group, send email to seleniu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/selenium-users/-/WifoX0u0Vn8J.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Simon Stewart]

That's implemented via Java's AWT Robot. If you're concerned about that, then the proper thing to be reviewing is Java, not Selenium (also, that's the RC API, which is in maintenance mode) It's no worse than any other testing tool out there (eg: QTP or testing via accessibility APIs such as White)

How do I feel about it? Pretty relaxed. The selenium server should only be run on a subset of machines, and the users of these machines must be trusted. You can limit the ports that the server listens on, which prevents remote execution. The functionality we rely on to implement that particular API is provided either by third party software (Java, or official Windows APIs) or baked into browsers deliberately and hidden behind flags (eg: native events in Chrome and Opera)

Really, if you're doing automated testing on a machine, you're going to have to trust the users of that machine.

Regards,

Simon

[Peter van der Leek]

Hi Simon,

 

Thank you for the explanation. I wasn’t worried about it, we’ve got our company security in place J

But as I think it might be considered a security risk and the topicstarter asked about that, I felt free to throw it out there.

 

Kind regards,

Peter van der Leek

 

[Simon Stewart]

Good point. I hope I explained it clearly enough without sounding blasé :)

Simon

[Mike Riley]

I had similar issues due to the frequent releases.  Supposedly any software brought into the company had to be approved by our IT group.

I handled it by doing my own internal releases.  I would test new releases on my system and if we needed to update to a version for Firefox support we would do an update then, or if it fixed a bug we were running into.

If test environments are kept isolated from the company network it really shouldn't be an issue.

Mike

[Simon Stewart]

We're slowing down to an almost 6 week release cycle now (in sync with Firefox), so things might get easier. I'm more than happy to keep your IT chaps on their toes with more frequent releases, though :)

Simon

To view this discussion on the web visit https://groups.google.com/d/msg/selenium-users/-/vqUKVIGzcoIJ.

[Mike Riley]

I don't work there any more, so go ahead and speed it up.  ;)

Mike