Skip to main content

Selenium script best practices

Veracode Dynamic Analysis supports Selenium scripts that you can use to crawl target web applications. This section provides best practices for recording and optimizing your crawl scripts.

See the example Selenium scripts.

When to use crawl scripts

You do not need a crawl script to perform a complete dynamic analysis of a web application. You only need to create crawl scripts to access features or functionality in your web application that are accessible with a particular set of inputs in a multistep process.

For example, a website might display different features depending on the region a user selects from a dropdown menu, or it might restrict access to certain features based on the data a user entered into an area of the web application. You might also want to provide a crawl script to Dynamic Analysis if you notice in the results that it did not crawl a particular set of pages or functionality.

A Dynamic Analysis can use heuristics to navigate an application, but to understand the business logic around the exchange of information between a database and the application user interface, you must use crawl scripts or augment the analysis with Manual Penetration Testing.

General tips

  • To ensure that a webpage finishes loading before interacting with it, such as signing in, include a wait command, such as waitForPageToLoad, at the beginning of the script.
  • Always include a command in the script that validates successful sign in to the application. For example, waitForElementVisible. See Targeting elements and the example scripts.
  • To find text that is visible on a webpage before successfully signing in, include a text verification command, such as assertTextPresent or verifyTextPresent, at the end of the script.
  • Where possible, avoid including pauses in the script.
  • Where possible, ensure each target in the script refers to the ID parameters in the HTML of each webpage. For example, "target": "id=username". See Targeting elements and the example scripts.

Remove pre-populated values

  • Cache and cookies: always clear your browser cache and cookies. If Dynamic Analysis is scanning a web application for the first time, it cannot use any information saved in cache, cookies, or local storage.
  • Input fields: if the browser auto-populates any of the input fields, such as a username, Selenium does not record them in the script.

Targeting elements

  • Input fields: the scan engine typically runs events on an input field while filling in the field. Adding additional mouse selections to the script, such as onFocus and onBlur events, is unnecessary and might cause problems.
  • Multiple methods: if a step fails when the script executes, use an alternate method to identify targets.
  • Elements with long waits: any command that targets an element, such as a mouse click or type command, automatically has an implicit waitForElementPresent process that runs with a 30-second timeout. If an element takes longer than 30 seconds to load, you might need to add additional waits. Veracode recommends adding these additional waits sparingly as they can increase your scan duration or cause other scan issues.

Recording sequence

When recording your script, Veracode recommends you use the following sequence in this order:

  1. Open the webpage.
  2. Wait for the sign in page to load.
  3. Enter the username and password. If the username and password fields are on different pages, after entering the username, include a step, such as selecting Next on the page with the username field, to go to the next page, then enter the password.
  4. Select Submit.
  5. Wait for the next page to load and validate that a specific element is vislble.