SoapUI Get SessionID

The whole purpose is, I have to automate testing for some Secured API’s, which need Session Id of my application to send request and to receive expected response.

I am using Soap-UI for my API Testing.

Initially I thought of using SoapUI to achieve the same. But my application uses SAML requests and do lot of redirection before getting into the Login Page.

So my alternative workaround is to go for the some other frameworks to fetch this session Id.

I have already discussed the same in the following post.

https://linkeshkannavelu.com/2014/02/13/selenium-webdriver-get-sessionid-from-a-web-application/

But in the above mentioned Post, I was using the FirefoxDriver. This will trigger the Firefox browser all the time and then it will fetch me the session information.

I somehow felt inside that this is not a proper workaround and always searched for the better alternative solutions.

Now I just want to let you know something that I have tried earlier to get the Session Cookie in headless mode without a browser.

Earlier I have tried out a solution to use the HTMLUnitDriver instead of FirefoxDriver to get the session information with a headless browser.

Initially I got lot of exceptions with earlier version of selenium standalone server.

But this works perfectly with the latest version of selenium. I really don’t know why.

Now the updated script will run in daemon mode and will fetch you the session id without a browser.

Obviously if you use HTMLUnitDriver, it will always throw severe bunch of warnings that you may not need.

All we need is just the session information of the application.

So, somehow I found out a way to turn off the HTMLUnitDriver logging just to avoid these bunch of severe warnings and unwanted information.

The following method will get you the SessionId of a web application.

I just pasted the method here. Of course you guyz may need to do some modification based on your needs.

You need to add the latest version of Selenium-Standalone-Server in your class path for this method to work.

public static void HeadlessSessionId() throws Exception {
		  WebDriver driver = new HtmlUnitDriver(true);
		  
		  try {		  	
			  	LogFactory.getFactory().setAttribute("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.NoOpLog");
			    java.util.logging.Logger.getLogger("com.gargoylesoftware.htmlunit").setLevel(Level.OFF);
			    java.util.logging.Logger.getLogger("org.apache.commons.httpclient").setLevel(Level.OFF);
				String domainString = ServiceEndPoint;		
			    String baseUrl = domainString;
			    driver.manage().timeouts().implicitlyWait(60, TimeUnit.SECONDS);
			    driver.get(baseUrl + "/Demo/");			    
			    driver.findElement(By.id("username")).clear();
			    driver.findElement(By.id("username")).sendKeys("UserName");
			    driver.findElement(By.id("password")).clear();
			    driver.findElement(By.id("password")).sendKeys("PassWord");
			    driver.findElement(By.cssSelector("input.primary.btn")).click();			    		    
			    String SessionId = driver.manage().getCookieNamed("sessionId").toString();			    
			    domainString = domainString.replaceAll("http://", "domain=");
			    String SessionID = ((SessionId).replaceAll("path=/;", " ")).replaceAll(domainString, "").replaceAll("Cookie: ", ""); 
			    Cookie = SessionID;
			    System.out.println(SessionID);
		  }
		  finally {
		    driver.close();
		  }
	  }

So That’s it. We have the session information of our application in Hand. Now how we are going to integrate this with our SoapUI?

During the development phase/when running my tests manually from SoapUI GUI, I have a project level property defined in SoapUI called “Cookie”.

And I will manually replace that project property with the session information that I got from my selenium script.

Later I will use this Project level Property in my SoapUI test cases/ test steps.

But as a automation engineer, at some point, I may want to add these tests in my Continuous Integration Server to run these tests on a nightly Builds.

At that time, there should not be any manual intervention in my automated tests.

So lets see how I actually integrated the session that I am getting it from Selenium with SoapUI.

All we need to do is simple.

Instead of printing the session Id, write it in a property file. I used to write this session Id in “SoapUIProjectProerties.props”

Export the entire Java project into a runnable Jar file.

If you are using any IDE like Eclipse, it is not that difficult task. Then create a Batch file that will do the following steps.

1. First run the Jar File and this will write the SessionID into that Property File.
2. Use SoapUI TestRunner Batch from Command Line and Specify it to load the Properties from the “SoapUIProjectProerties.props”

@ECHO OFF
SET SOAPUI_TEST_RUNNER="C:\Program Files (x86)\SmartBear\SoapUI-5.0.0\bin\"
java -jar HeadlessSessionId.jar
%SOAPUI_TEST_RUNNER%testrunner.bat -sTestSuiteName -r -a -j -f"Reports" -i Project-Name.xml 
-Dsoapui.properties.CommonAuthWebService=SoapUIProjectProerties.props

Now during the runtime, the session Id property defined in the property file will be used by SoapUI for hitting secured API’s.

I hope this solution might be helpful for your when automating secured API’s which need session Id.

My Colleague is working on another interesting solution to rewrite the whole Java program as a ‘Groovy Test Script’ in SoapUI.

I will let you know if that works. Thanks.

Advertisements

Security Test Automation using Selenium and ZAP

Recently I got a chance to participate in a contest conducted inside our organization. We as a team have to come up with some innovative ideas and to work on that for a week to showcase some live working samples.

In the recent visit to Selenium Conference 2014 – http://seleniumconf.org/, we came up across an interesting topic called, Hacker Proof your app using Functional Tests – http://confengine.com/selenium-conf-2014/schedule#session-218-info

It covers how to reuse the Functional Test Automation Scripts to do Vulnerability Assessment/Security Testing for your web applications. In this conference, they have used IronWasp, an OWASP leading vulnerability scanner along with their selenium test scripts.

First of all OWASP – https://www.owasp.org/index.php/Main_Page The Open Web Application Security Project is an online community dedicated to web application security. All the software materials here are available under a free and open software license.

As I said earlier, IronWasp – https://ironwasp.org/ is a Free and Open source GUI based, easy to use scanning engine.

But one of the major constraints is, the report generation after performing a vulnerability scanning has been done manually when going for IronWasp. So We actually searched for some other alternative vulnerability scanners that goes well with webdriver.

So we came across another interesting solution using Zed Attack Proxy/ZAP-Proxy

The OWASP Zed Attack Proxy (ZAP) – https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. But our requirement is to do a automated scanning for our functional test flows. So we have searched for some API’s and we found out that also.

Yes ZAP provides very good API which allows you to interact with ZAP Programatically.
Please refer the https://code.google.com/p/zaproxy/wiki/ApiJava for more details.

Also the ANT Tasks, https://code.google.com/p/zaproxy/wiki/ApiAnt will let you to do the automated scanning for your functional flows without even changing any Code of your functional/regression tests.

So we have decided to go with this tool and below are the following set of tools/libraries that you need to perform a vulnerability assessment.

1. ZAP
2. Eclipse
3. The Bodge It Store
4. Tomcat (the web server hosting the Bodge It Store)
5. Firefox
6. Java and ANT

The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.

You can download – https://code.google.com/p/bodgeit/downloads/list this as a WAR file and can deploy this in Apache Tomcat web server.

Note that you should be able to use ZAP in this way using any IDE, web app, web server and browser – the above are just the ones used in this demo.

1. Download and install Java
2. Download and install ZAP
3. Run ZAP
OK the license agreement
Its up to you whether you create a Root CA certificate, its not required for this demo
Select Tools / Options… / Local proxy
Change the Port to 8090
4. Download and install Tomcat
The latest one is best, but older ones will probably still work
5. Start Tomcat
Connect to Tomcat to make sure its working properly: http://localhost:8080
6. Download BodgeIT WAR file.
Deploy this BodgeIT war file in Tomcat.
7. Download and install Eclipse
8. Start Eclipse
Checkout/Clone this Project from Github – https://github.com/linkeshkanna/SecurityTestAutomation
Import this project into your Eclipse Workspace.
Add the libraries – junit-4.0.jar, selenium-java-2.43.0.jar, selenium-server-standalone-2.43.0.jar and zap-api-v2-8.jar
9. Run the “ZAPDemo” Task in “build.xml” as an ANT Task.

This will popup the firefox browser and will navigate through the BodgeIT application and first it will do the functional validation. Next it will do a scan for all the web pages you navigated in your functional test flows and will produce you the results.

How this actually works?
So if you don’t want to use the BodgeIT store application and if you want to do a assessment on a different AUT, What changes you actually have to do?

It’s Simple. You need to bypass all your webdriver actions through a proxy at which the ZAP listens to.
In the above steps, we actually started ZAP Proxy at 8090. So it is actually listening on this particular port. So in your selenium tests, before initializing webdriver, make sure that you have done with your Proxy settings.

public void setUp() throws Exception {
		  Proxy proxy = new Proxy();
		  proxy.setHttpProxy("localhost:8090");
		  proxy.setFtpProxy("localhost:8090");
		  proxy.setSslProxy("localhost:8090");
		  DesiredCapabilities capabilities = new DesiredCapabilities();
		  capabilities.setCapability(CapabilityType.PROXY, proxy);
		  driver = new FirefoxDriver(capabilities);
		  this.setDriver(driver);
		  driver.manage().timeouts().implicitlyWait(30, TimeUnit.SECONDS);
	}

This is how the web requests from browser will pass through

ZAP-Integration
ZAP-Integration

That’s it. No need to do any other code changes. All the remaining activities can be taken care through the ANT tasks.

Advantages:
Additional ROI:
We are not going to add any efforts to do security assessment for your web applications.
We are simply reusing the existing Test Automation Scripts with minimal tweaks to do vulnerability Assessment.
So it is definitely an value addition in ROI.

Can be Integrated with our Continuous Integration Builds:
As it is just an Ant build, we can able to achieve vulnerability assessment reports through CI nightly builds also.

Ignoring Low Priority Alerts:
This is an another interesting option and it is definitely a Big Boon for the developers.
If you want to avoid build failure just because of some vulnerability alerts in your application,
simply ignore those alerts in your “build.xml” ant tasks.

<VulnerabilityAssessment zapAddress="${zapaddr}" zapPort="${zapport}" debug="true">
	<ignoreAlert alert="Cookie set without HttpOnly flag" />
	<ignoreAlert alert="X-Content-Type-Options header missing" />
	<ignoreAlert alert="X-Frame-Options header not set" />
	<ignoreAlert alert="Application Error disclosure" />
	<ignoreAlert alert="Cookie set without HttpOnly flag" />
	<ignoreAlert alert="Password Autocomplete in browser" />
</VulnerabilityAssessment>

We have shared our Presentation slides

We have Checked-in our Project Source Code – https://github.com/linkeshkanna/SecurityTestAutomation

Selenium Webdriver – Get SessionID from a Web Application

Getting SessionID/Cookies from a Web Application using Selenium

package com.test;

import java.util.concurrent.TimeUnit;
 import org.openqa.selenium.*;
 import org.openqa.selenium.firefox.FirefoxDriver;

public class GetSession {
 public static void main(String args[]) throws InterruptedException {
 WebDriver driver = new FirefoxDriver();
 try {
 String domainString = "http://yourURL";
 String baseUrl = domainString;
 driver.manage().timeouts().implicitlyWait(45, TimeUnit.SECONDS);
 driver.get(baseUrl + "/Login.aspx/");
 driver.findElement(By.id("username")).clear();
 driver.findElement(By.id("username")).sendKeys("username");
 driver.findElement(By.id("password")).clear();
 driver.findElement(By.id("password")).sendKeys("password");
 driver.findElement(By.cssSelector("input.primary.btn")).click();
 String ASPNET_SessionId = driver.manage().getCookieNamed("ASP.NET_SessionId").toString();
 System.out.println(ASPNET_SessionId);
 }
 finally {
 driver.close();
 }
 }
 }

Selenium eBooks Reference

Selenium Web Driver for beginners : – 

http://www.amazon.in/Selenium-Testing-Tools-Beginners-Guide-ebook/dp/B008SC1MGI 

Selenium RC beginners guide:

http://www.amazon.in/Selenium-1-0-Testing-Tools-Beginners-ebook/dp/B005NI3AR4/ref=sr_1_3?s=digital-text&ie=UTF8&qid=1390287067&sr=1-3

These two books are very good eye openers for guys who all want to start something using Selenium.