All Posts

2 posts

Automate On-Demand Reporting with Selenium

The Terminator exposed it, the DARPA Grand Challenge rewards it, and Selenium puts its future in your hands. "It" is man versus machine… well, sort of. With Selenium, you are in control. Why link Selenium to the Terminator? Because it is that powerful.

What is Selenium? Their homepage says it best, "Selenium automates browsers." For more information on how Selenium relates to Qualys, check out our WAS guru, Jason’s, excellent blog post.

As explained in the blog post above, Selenium scripts are often used to automate complex web app interactions such as authentication when scanning them via QualysGuard Web Application Scanning.  Here we introduce a different use-case where we automate a QualysGuard subscriber’s interaction with the QualysGuard Vulnerability Management user interface, in order to demonstrate a best practice and make it easy to adopt — simply by running a Selenium script.

Make it happen

In a previous blog post about customizing Scorecard Reports, a fellow community member came up with a pretty good list of criteria of vulnerabilities to watch out for. Let’s take a closer look at creating a dynamic search list tailored to externally facing hosts. For such hosts, an initial starting point for discovering their "worst off the worst" vulnerabilities are those with the following criteria:

  • Remote (no authentication necessary) vulnerability.
  • Associated with a penetration testing toolkit (such as CORE or Exploit-DB).
  • Confirmed, severity 5 (easy segue to "game over").

Now I can show you screen shots of how to create this, but it’s so much easier to just create a Selenium script — by the way, it’s easier for you to run the script, too!

  1. Install Firefox and the Selenium IDE extension.
  2. Download the Selenium scripts from the bottom of the script document.
  3. Open Firefox, log in to QualysGuard. While in QualysGuard, make sure you do not already have a search list with the name, "Remote exploit-available confirmed sev5 (Selenium)", or the script will error out.
  4. From Firefox, Tools menu –> Selenium IDE
  5. From Selenium IDE, File –> Open –> Open test case –> "create/Selenium test case, QualysGuard, create dynamic search list – remote exploit-available confirmed sev5.html". Check out the source, it is commented so you can see how it breaks apart building the search list.
  6. Optional step. The script works at any speed, but if you would like to actually watch it work, I recommend slowing the execution down. Drag the speed bar from Fast to Slow so it’s easier to follow the script.
    selenium - fast to slow
  7. We are ready to run the script, also known as a test case in Selenium. Click on the "Play current test case" button. (Note this will play the test case that is shown in the right column under "Table | Source".)
    selenium - play current
  8. Congratulations! You now have the dynamic search list we architected from our example. It’s called "Remote exploit-available confirmed sev5 (Selenium)".

You should see the dynamic search list under the "Search Lists" subtab (blue bar).

search list name

Note the criteria is optimized for externally facing hosts, as we described above:

search list criteria

Make it actionable

Pretty neat stuff, huh? But a search list on its own is not the most useful. Let’s create a report template that builds on it. Scratch that, let’s automate building of a report template that uses it.

  1. Make sure you are still logged into QualysGuard inside of Firefox.
  2. The test case creates a report template named "Remote exploit-available confirmed sev5 (Selenium)". So you want to make sure you do not already have a report template with the same name.
  3. Load up the test case ("create/Selenium test case, QualysGuard, create report – remote exploit-available confirmed sev5.html") in the Selenium IDE. Check out the source, it is commented to explain how it accomplishes building the report.
  4. Run it! It works at any speed.

After the test case completes, you will have a report template that uses the dynamic search list we just created.

report template name

Note the template filters against the search list we just created:

report template filters

Make it easy

Now that we have built individual test cases for creating a search list and report template, let’s merge them into one step. Rather than copy and pasting the rows from one script into another, the Selenium IDE offers a much cleaner way via test suites.

Test suites offer a more coupled integration of test cases. This enables visible separation for troubleshooting individual test cases, while remaining transparently functional as a whole to the user. When we want to run a test suite, we click a different button from the Selenium IDE:

selenium play suite

Let’s get started on running one together.

  1. Confirm you are still logged into QualysGuard.
  2. Before we recreate the report template and search list, we will need to delete the existing ones, as QualysGuard requires unique names of each. You can either delete them manually, or run the test suite, "Selenium test suite, QualysGuard, delete remote exploit-available confirmed sev5 report.html" that does it for you — try it, it’s not just for the lazy! Remember to click on the play button with multiple lines to its right, and it will delete both the report template and the search list.
  3. Open the test suite, "Selenium test suite, QualysGuard, create remote exploit-available confirmed sev5 report" that combines the above test cases.
  4. Run the entire suite. It will start to create the search list from the first test case, and then automatically progress to create the report template from the second test case.
  5. Congrats! You now have both a search list and report template. Easy, huh?

Make yours the next big hit

Now that we are able to create search lists and report templates associated with those search lists in one simple step, what’s next? Collaborate! Share your favorite search list, or report template, or both. Feel free to comment the criteria, or QIDs (one can also automate creation of static search lists, too).

If you are feeling ambitious, and want to create Selenium scripts of these reports, feel free to modify the ones we demoed. I am here to help if you have questions, just comment on this post. To get things started, I shared one more test suite that you may find useful (great for creating policies in Remediation):

Dynamic search lists: Confirmed severity 5, 4, and 3

You can find the above script (and more to come!) by searching for the tag, selenium_script. Help us grow QualysGuard automation by contributing! If you need help or have a request, just comment on this post… I’ll be back.

How to Enhance Web Application Scanning with Selenium

selenium-ide-logoSelenium IDE is an integrated development environment for Selenium scripts. It is an open-source tool implemented as a Firefox extension that allows you to record, edit, replay and debug tests. You can use it to record yourself performing an activity such as clicking a series of buttons or logging into a web site, and QualysGuard WASv2 will play the recording back at the appropriate time as part of a web application scan.

Where do you get Selenium IDE?

Go to http://seleniumhq.org and download the IDE that works with your platform.

How do I use Selenium IDE?
We suggest watching these two short videos on installing and using Selenium. After watching these, it will be easy to see how to best use Selenium IDE for authentication and for crawling complex environments.

Video: Selenium Introduction

Video: Integration of Selenium in QualysGuard WAS

When is it most appropriate to use Selenium IDE?

Authentication is often the biggest use of Selenium we see.  Making machines operate correctly with applications that were designed for human interaction can be difficult.  It is often simple for a human to determine where the username and password fields are in an application, in addition to the login or submit buttons.  Often times, however, you want to go deeper into the application and you need to navigate past a form to get there.

I like to use the example of purchasing an airline ticket.  The first thing you will need is the date of departure.  This date cannot be in the past, and cannot be too far into the future.  The other things you might need to know is where to start and end, these places must have airports.  All of this is pretty simple for a human to figure out, but not so easy for a machine.  So, recording the date of departure, start and end cities, and initiating the search, allows for the most interactivity and allows for the scanner to reach much further into the web application.

Now that you can authenticate more simply to the web site, and navigate further into the application, you are truly making the scanner do what you need it to do.