We support the use of Selenium scripts when uploaded to web application settings and authentication records. Uploaded scripts are replayed during Web Application Scanning. For example:
- We can replay recorded steps to scan a web application that requires complex workflows, such as selecting user input combinations that require certain knowledge and/or user interaction.
- We can replay recorded steps, like clicking a series of buttons or filling out forms.
- We can replay recorded steps to complete login and authentication requirements.
Create Selenium ScriptCreate Selenium Script
Use Qualys Browser Recorder to create a Selenium script. To know more about Qualys Browser Recorder, refer to Create Selenium Scripts Using Qualys Browser Recorder.
Validating Selenium ScriptValidating Selenium Script
After successful upload, click View next to the script name to view the script contents. You can see sensitive contents are masked by default. Click Display to view the sensitive contents. Our service considers a Selenium script file as valid when it meets the following criteria:
- the file is an HTML file saved from Qualys Browser Recorder
- the file contains at least one command
- the file contains an absolute path to each form requiring authentication.
We recommend that you configure an option profile with a small number of links to crawl and the QIDs 150094 and 150095 to ensure authentication is working before launching a more extensive scan. One of these information gathered QIDs appears in the scan results as long as the QID is included in the selected option profile. QID 150094 appears if authentication was successful, and QID 150095 appears if authentication failed.
You can Specify a regular expression to verify that the authentication completed successfully. Enter a valid regular expression to be used by our service to verify authentication was successful at the end of the script. The regular expression must match a pattern on a page that is not accessible to an unauthenticated user. A good choice may be a "logout" link that is displayed only when the user has successfully authenticated. You can enter a maximum of 1024 characters.
All regular expressions are in PCRE format.
No bounding delimiters are necessary, the entire string is considered the regex. This means that syntax like /foo/ or #foo# is not required -- the / or # characters familiar in Perl or Python are needed for those languages to delimit the regex; we don't need those delimiters.
Only standard PCRE metacharacters need to be escaped:
\s -- space character
\w -- word character
\\ -- literal backslash or escaping metacharacters to match a literal character
\. -- match a dot rather than anything
\? -- match a question mark rather than interpret it as a 0 or 1 quantifier.
Admin -- match the word Admin anywhere
.* -- match anything 0 or more times
a+ -- match the letter 'a' one or more times
successful\slogin -- match "successful login" separated by a space, tab, or new line
^response$ -- match the word response, with anchors to the beginning and end of the input.