search

mercedes-benz / sechub

SecHub provides a central API to test software with different security tools.
https://mercedes-benz.github.io/sechub/
MIT License
272 stars 66 forks source link

Implement the concept of pages into the web scan scripting #572

Closed Jeeppler closed 3 years ago

Jeeppler commented 3 years ago

A form based login can involve more than one page. In this case, on page 1 (step 1) the users put in their username and on the second page (step 2) the password.

two_step_login

The core concept is, that the user writes a script for each page. Each page contains it's actions:

{
  "apiVersion": "1.0",
  "server": "https://sechub.example.org",
  "project": "test",
  "webScan": {
      "uris": ["https://example.org"],
      "login": {
            "url": "https://example.org/login",
            "form": {
                "script": [
                   "page": [
                      {
                         "action": "username", 
                          "selector": "#username",
                          "value": "myuser"
                      },
                      {
                          "action": "click",
                          "selector": "#next",
                          "description": "Go to the next page"
                      },
                   ],
                    "page": [
                        {
                          "action": "password",
                          "selector": "#password",
                          "value": "my$ecretPassword"
                        },
                        {
                          "action": "click",
                          "selector": "#login",
                          "description": "The login button"
                        }
                    ],
                ]
            }
        }
  }
}

A page is what a user experiences as page and the actions are the actions the user would have to take to log into the page.

Original discussion: #571

Jeremias Eppler jeremias.eppler@daimler.com, Daimler TSS GmbH, imprint

Jeeppler commented 3 years ago

To allow multiple pages and to make sure the file is human readable the following JSON format will be used:

"script": { 
    "pages":            
        [
           { 
              "actions": [
                {
                  "type" : "username",
                  "selector" : "#example_login_userid",
                  "value" : "user2",
                  "description" : "This is an example description"
                }, {
                  "type" : "click",
                  "selector" : "#next_button",
                  "description" : "Click the next button to go to the password field"
                }]
            },
            {
               "actions": [
                {
                  "type" : "wait",
                  "value" : 3200,
                  "unit" : "milliseconds"
                }, {
                  "type" : "input",
                  "selector" : "#email_field",
                  "value" : "user@example.org",
                  "description" : "The user's email address."
                }, {
                  "type" : "password",
                  "selector" : "#example_login_pwd",
                  "value" : "pwd2"
                }, {
                  "type" : "click",
                  "selector" : "#example_login_login_button"
                }
                ]
            }
        ] 
}