In this blog post, a brief introduction to security testing automation will be given.
What kinds of security testing task is good to be automated?
- a series of testing tasks that are required repetitive testing
- e.g., continuous testing of predefined security requirements in CI/CD (continuous integration/continuous delivery) environment, such as verifying account lockout after 5 login failure attempts, the admin interface is not open to the untrusted network interface, etc.
- e.g., reconnaissance at the beginning of the penetration testing, such as checking open ports, collecting running network services information, conducting predefined checkings against targeted protocols (e.g. SMB), and consolidating all intel/output into a data file (e.g. CSV)
Can RPA be able to replace manual penetration testing?
The objective (at least for now) of using RPA in security testing is to save more time for pentesters to work on complex attack vectors, but not to replace penetration testing conducted by subject matter experts.
Robot Framework Deployment
Robot Framework is a generic open-source automation framework.
In this blog post, all the demonstrations were conducted under Kali Linux for simplicity. Robot Framework could also be deployed in an MS Windows environment.
1) Install Robot Framework
pip install robotframework
2) Install RIDE
RIDE is the development environment for Robot Framework test cases.
sudo apt install libgtk-3-dev
pip install pkgconfig
pip install -U https://github.com/robotframework/RIDE/archive/master.zip
Launch RIDE by:
ride.py
3) Install SeleniumLibrary and Google Chrome
“SeleniumLibrary is a web testing library for Robot Framework that utilizes the Selenium tool internally.”
pip install --upgrade robotframework-seleniumlibrary
wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
sudo apt install ./google-chrome-stable_current_amd64.deb
pip install webdrivermanager
webdrivermanager firefox chrome --linkpath /usr/local/bin
Quick Demo with SeleniumLibrary
By doing a quick web application login demo, it will give you a clear understanding of how to create a Robot Framework test case.
Let’s translate the test case into the robot test file (.robot):
“Validate whether the given username and password could authenticate to the web application”
I) Create a new test project file named “test.robot”
II) Convert our test case into a technical workflow
First, we need to find out how to determine whether the login attempt was successful or was a failure.
By reviewing the HTTP response, we know that the page title doesn’t change (as shown below) for login failure,
While the page title will change from “acuforum login” to “acuforum forums” when the login was successful.
Also, we know that the username input field is “tfUName”, the password input field is “tfUPass” and the login submission button is “Login”.
The following Robot test script could be created by using the above information:
*** Settings ***
Documentation Simple Testing two set of credential.
Library SeleniumLibrary
*** Variables ***
${LOGIN URL} http://testasp.vulnweb.com/Login.asp
${BROWSER} Chrome
*** Test Cases ***
Login attemp for admin/password
Open Browser To Login Page
Input Username admin
Input Password password
Submit Credentials
Welcome Page Should Be Open
[Teardown] Close Browser
Login attemp for admin/admin
Open Browser To Login Page
Input Username admin
Input Password admin
Submit Credentials
Welcome Page Should Be Open
[Teardown] Close Browser
*** Keywords ***
Open Browser To Login Page
Open Browser ${LOGIN URL} ${BROWSER}
Title Should Be acuforum login
Input Username
[Arguments] ${username}
Input Text tfUName ${username}
Input Password
[Arguments] ${password}
Input Text tfUPass ${password}
Submit Credentials
Click Button Login
Welcome Page Should Be Open
Title Should Be acuforum forums
Please note that test cases are run in sequence (from the top to the bottom) and the test case will be treated as “FAIL” when any keyword couldn’t be executed or the outcome is not the same as the keyword described. In other words, if all keywords under a test case could be executed 100% and align all descriptions, that is a “PASS“.
III) Execute Test Project
You can either press “F8” or go to “Run” page and click “Start”.
From the test outcome, we know that the valid credential is admin/admin.
Hope you enjoy reading it.
Cheers
Henry
P.S. If you have any good ideas/robot scripts to automate some of the security testings, please do not hesitate to share with me! Thanks!
Cyber Security Corner 
Good Topic
LikeLike