Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.0k views
in Technique[技术] by (71.8m points)

security - How safe is it to use Selenium to auto-fill forms with sensitive information

Selenium is usually used for testing. But what if someone decided to use it to autofill forms on websites with personal data(username, password, credit card number). How safe would that be?

I mean the actual part where you call the driver object and pass it all this secure information. Let's assume the information is securely stored until the moment you pass it to the driver.

I wonder if that's what websites that aggregate your credit card and bank accounts use instead of api calls(running a headless browser in the backend to log in to personal profiles).

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

While using Selenium as mentioned in the Security section within WebDriver - W3C Recommendation the only security concern is that:

A user agent that rely on a command-line flag or a configuration option to test whether to enable WebDriver, or alternatively make the user agent initiate or confirm the connection through a privileged content document or control widget, in case the user agent does not directly implement the HTTP endpoints.

It is strongly suggested that user agents require users to take explicit action to enable WebDriver, and that WebDriver remains disabled in publicly consumed versions of the user agent.

To prevent arbitrary machines on the network from connecting and creating sessions, it is suggested that only connections from loopback devices are allowed by default.

The remote end can include a configuration option to limit the accepted IP range allowed to connect and make requests. The default setting for this might be to limit connections to the IPv4 localhost CIDR range 127.0.0.0/8 and the IPv6 localhost address ::1.

The generic solution was to distinguish the user agent session that is under control of WebDriver from those used for normal browsing sessions. Snapshot of visually distinguishable WebDriver driven user agent:

WebDriver_driven_UserAgent


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

1.4m articles

1.4m replys

5 comments

57.0k users

...