search

SeleniumHQ / selenium-ide

Open Source record and playback test automation for the web.
https://selenium.dev/selenium-ide/
Apache License 2.0
2.82k stars 768 forks source link

Encrypt recorded passwords #707

Open darkartswizard opened 5 years ago

darkartswizard commented 5 years ago

🚀 When recording against a masked input field encrypt the entered data and decrypt on playback.

Motivation

When demonstrating Selenium IDE the most basic feature is often logging into a website with user credentials. If the new user logs in with personal credential rather than test account credentials, the password is recorded in the clear and exported in code. This can make recording training demos difficult to do without revealing passwords to outside sources. It can also force a user to reset a password as a consequence making a bad user experience.

Example

1) Begin recording with www.sears.com as base site (Any major online eCommerce site will do) 2) Hover over 'Sign In' in top menu bar 3) Click 'Join for free' 4) Enter 'abcd1234' as the password 5) Stop recording and examine the steps. Result: The password is displayed in the clear as input in the 'type' steps.

5) Save the test project Result: The password is displayed in the clear in the .side file.

6) Export the test code. Result: The password is displayed in the clear in the code Result: The password is displayed in the clear in the comments if 'Include Origin tracing code comments' was selected for code export.

This can also make users uncomfortable with the security of the tool as a whole, impacting wide spread adoption over other tools with this capability. (Note: I checked Katalon Recorder and they also display masked passwords in the clear. Chances are they monitor this slack channel, so beat them to the punch.)

image

corevo commented 5 years ago

Encrypting the passwords from within the IDE won't necessarily make them secure, unless the user will specify a decryption key when creating the project, since if the user does not then using a default one will lead to immediate breach of data, which is the same as not encrypting at all.

That being said, I like the idea of setting a secret when creating a Selenium IDE project, and you would have to put that secret in every time you open the project, this will allow read/write access to the data, of course this solution helps to protect the file, and not the IDE itself, as the communication with the browser will still be in plain text (as the WebDriver protocol is not secure by default, thus unreliable).

In the meantime if I may offer a workaround, we have a plugin system that allows you to set the variables in the test, so you could feed the data from your own 3rd party plugin, that can facilitate a secure channel to your secrets, in the future this could also be the way to go, as you would be able to load secrets this way from password managers and the sorts, thus diminishing the IDE's built-in feature.

ngstigator commented 4 years ago

@corevo can a plugin use browser.runtime.sendMessage() to make data available as a variable in Selenium IDE?

tourdedave commented 4 years ago

@corevo can a plugin use browser.runtime.sendMessage() to make data available as a variable in Selenium IDE?

Yes. I don't see it listed in the docs though.

https://github.com/SeleniumHQ/selenium-ide/blob/v3/packages/selenium-ide/src/api/v1/playback.js#L62-L76

ngstigator commented 4 years ago

@tourdedave thanks for the clarification!

I'm using your file-uploader plugin as reference. Can you please confirm that your implementation of sendMesssage() still works? That plugin is not working the same way as demonstrated in your video, and I'm not enough of a React developer to figure out the issue :-)