Selenium Script Best Practices
Veracode Dynamic Analysis supports Selenium scripts that you can use to crawl target web applications. This section provides best practices for recording and optimizing your crawl scripts.
When to Use Crawl Scripts
You do not need a crawl script to perform a complete dynamic analysis of a web application. You only need to create crawl scripts to access features or functionality in your web application that are accessible with a particular set of inputs in a multi-step process.
For example, a website might display different features depending on the region a user selects from a dropdown menu, or it might restrict access to certain features based on the data a user entered into an area of the web application. You may also want to provide a crawl script to Dynamic Analysis if you notice in the results that it did not crawl a particular set of pages or functionality.
A Dynamic Analysis can use heuristics to navigate an application, but to understand the business logic around the exchange of information between a database and the application user interface, you must use crawl scripts or augment the analysis with Manual Penetration Testing.
- To ensure that a web page finishes loading before the user can enter credentials, include a
waitcommand, such as
waitForPageToLoad, at the beginning of the script.
- To find text visible on a web page when a user successfully logs in, include a text verification command, such as
verifyTextPresent, at the end of the script.
- Where possible, avoid including pauses in the script.
Remove Pre-Populated Values
- Cache and cookies: always clear your browser cache and cookies. If Dynamic Analysis is scanning a web application for the first time, it cannot use any information saved in cache, cookies, or local storage.
- Input fields: if the browser auto-populates any of the input fields, such as a username, Selenium does not record them in the script.
- Input fields: the scan engine typically runs events on an input field while filling in the field. Adding additional mouse clicks to the script, such as
onBlurevents, is unnecessary and may cause problems.
- Multiple methods: if a step fails when the script executes, use an alternate method to identify targets.
- Elements with long waits: any command that targets an element, such as a mouse click or type command, automatically has an implicit
waitForElementPresentprocess that runs with a 30-second timeout. If an element takes longer than 30 seconds to load, you might need to add additional waits. Veracode recommends adding these additional waits sparingly as they can increase your scan duration or cause other scan issues.