Using Selenium and Netsparker for Manual Crawling of Web Applications

Selenium testing framework allows you to record and playback the browsing of a web applications. It is very popular with developers, QA engineers and others who are involved in the development and testing of web applications.

It is quite likely that you already have Selenium scripts to test your web application, especially certain flows within your application such as multiple step forms or shopping cart like functionality. If you would like the Netsparker web vulnerability scanner to see and scan all these flows as intended, there is no need to reinvent the wheel. You can use the Selenium IDE Firefox browser extension or any other driver to replay the recordings and capture all the browsed pages and parameters in Netsparker and get them scanned automatically.

The procedure is very simple and is documented below. Scroll down to the bottom of this post for a video about the procedure as well:

1. Start Netsparker in Proxy Mode (Manual Crawling)

As explained in Manual Crawling with Netsparker web vulnerability scanner, the scanner has a built-in proxy which listens on port 10010. By default it is also registered as a system proxy so in most cases you do not need to change anything in the browser.

Note: It is recommended to read the manual crawling article to get a better idea of what manual crawling is.

Launch Netsparker Desktop, specify the URL of the target web application that you will be manually crawling (the one for which you have the recordings) in the Start a New Website or Web Service Scan window, and start the select Manual Crawl (Proxy Mode) from the scan button drop down menu.

Start the manual crawl for Netsparker to capture the URLs requested in the Selenium playback2. Play the Macro on Selenium IDE

Click Selenium IDE from the Tools drop down menu of your browser and click Play Entire Test Suite.

Start the Selenium playback for Netsparker to capture all the URLs and parameters that are requested in the Selenium playback

3. Start the Automatic Vulnerability Scan

Once the macro is finished, switch back to Netsparker, check the Sitemap to confirm that the scanner captured the links and click Resume to resume the scan and Netsparker can start attacking the parameters.

Use the Sitemap to confirm that all the URLS requested in the Selenium playback have been captured by Netsparker

Video: Scanning URLs in Selenium Playbacks with Netsparker Desktop


Keep up to date with web security news from Netsparker