Open in app

Sign in

Write

Sign in

Selenoid for Pen Testers

Jagadeesh Malakannavar
2 min readFeb 15, 2021

--

This blog is to demo how to configure selenoid to send HTTP and HTTPS traffic to burpsuite to inspect HTTP and HTTPS header. I will just give very brief introduction about selenoid and burpsuite.

Selenoid: This is project is selenium hub implementation in Go. It is a containerized application and launch browser containers. It supports Firefox, Chrome, Opera and Edge. A detailed document about setup and configuration is here. And git repo is here. It is very easy to setup and configure. You can run protractor test cases.

Burpsuite: This is a developed by PortSwigger. Burpsuite has intercepting proxy that allows us to see and change contests of HTTP and HTTPS requests and responses while they are in transit. It is widely used by web application penetration testers and security researchers. Please refer this link for detail about setting it and configuring. Mainly, we need to configure intercepting proxy.

To send web application traffic, browser’s proxy to be set to burpsute IP:PORT. It is simple configuration.

Pen testers configure browser to send HTTP and HTTPS requests to burpsuite and inspect requests and responses. Then they start clicking on each and every link so that request and response is recorded in burpsuite HTTP history tab.

This is quite time consuming and and error prone. To address this issue, we can make use of selenium automated test cases. The advantage of this approach is to reuse automated test cases that run through every link automatically. To send HTTP and HTTPS traffic to burpsuite via selenoid we have to make simple change protractor config. Here are the changes.

For firefox:

capabilities: {
    browserName: 'firefox',
    version: "78.0",
    enableVNC: true,
    acceptInsecureCerts: true,
    proxy: {
        proxyType: 'manual',
        httpProxy: 'BURPPROXYIP:PORT',
        sslProxy: 'BURPPROXYIP:PORT',
        httpProxyPort: 'BURPPROXY_PORT',
        sslProxyPort: 'BURPPROXY_PORT',
    },
}

For Chrome

capabilities: {
browserName: 'chrome',
version: "87.0",
enableVNC: true,
acceptInsecureCerts: true,
chromeOptions: {
    args: ["--proxy-server=http://BURPPROXYIP:PORT",],                                   
     },
}

That is the configuration required. When you can run selenium testcases, you will notice all web traffic started recorded in burpsuite proxy history. Please keep burp interceptor off. It would be nice if you run selenium testcases using Jenkins. Pictorially

Selenoid integration with Burpsuite
Devsecops Solutions
DevOps
Pentesting
Automation Testing
Protractor

--

--

Jagadeesh Malakannavar
Jagadeesh Malakannavar

Written by Jagadeesh Malakannavar

56 Followers
105 Following

DevOps

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams