Secure coding

Creating a Professional Application – How to Create Tests, Part 5

October 4, 2012 by Adrian Stolarski

This article is a continuation of the previous four, for creating good software. We previously touched on unit tests and functional tests and test categorizing all possible applications. Unfortunately, this article would not arise if the others would not occur. Without any knowledge about testing the application, you would not be able to comprehend this topic.

And now let’s see how they relate to web applications. We all have to deal with customers. I personally believe that the customer is not a person, the client is a state of mind. This is a man who came to graduation nude. Whether you’re designing web sites, or simply carrying out penetration tests, very often the client wants tangible evidence that we were able to correctly perform a process.

Often, this is after our work is found in disbelief by a customer or our opinion is undermined by someone from outside. How can I prevent this? Well, this article is an attempt to answer these questions. And again, we will learn a few new tools that make our lives easier.

Automated web application testing primarily facilitates the creation of documentation, both in penetration testing and web application writing. They allow you to run any browser and allow it to automatically come quietly on the page, add a comment, just log in, or anything else. There are much better ways of penetration test documentation than the standard methods, such as writing a report on the tests. They simply demonstrate the tangible result of our actions. The customer can see that the page contains errors and that it can be actually very easy to manipulate because the scripts are full of holes.

XPath, the XML manipulation using a web browser

When using the syntax of web pages we have two choices. We can refer directly to HTML or XHTML, and we can also use XPath. It’s hard to determine which solution is better, all in all I think both are just as good, but if there is a tree of DOM elements, it is much better to use XPath. A full description of the XPath can be found at, but we are at the beginning with only the basics.

Indicate the XPath node or set of nodes using the path location. This path is in turn made up of one or more location steps separated from each other with / or / /. If the path begins with a /, we call it an absolute path as it gives the full path to the root node. Otherwise, call it a relative path, it starts from the current context node named node.

For Firefox, I found a few extras perfectly suited to the demonstration of XPath. I liked most FirePath features. You can download it from the In addition, the FireBug installed. It is a tool for analyzing and editing the application source code. FireBug is located at After the installation of these two supplements, an additional button appears:

Running FireBug, the window looks like this:

If we take the tree DOM elements for a site we know, the situation looks like this:

FireBug can also show you what was taken and where. Here is a screen demonstrating our favorite site:

FireBug is a great tool for manual analysis of web pages. However, it does not allow automatic analysis. But thanks to FireBug when developing applications, we know what we have to look for and where. FireBug also is a very intuitive and very transparent tool.

Introduction to Automation – Selenium IDE

Selenium is a tool for automated testing. It lets you record and read tests, and import them into a variety of formats, such as C # or Java, so that later they could fire on a single mouse click. Selenium for Firefox can be downloaded here: It is available as a separate server or library in addition to Firefox. After running Selenium IDE, it looks as follows:

Why are we so caught up in Selenium IDE? Because in reality it is really a very simple tool to take full control of the web pages. it allows you to automate many operations and test the correctness of their use. If we have to deal with some event whose effects are predictable, and it is fully reproducible, and we do it every day, why not allow Selenium to do it for us?

Selenium also allows easy recording and playback functions, so you automate almost everything. Thanks to automated steps in the code, this includes even Ruby on Rails, without knowing the language. All you have to write is the appropriate test and Selenium will do it all for us, in such a way that it will look like we are doing it with the mouse.

Best of all, Selenium allows you to record your activities on the Web page, and then recreate it by clicking only one button. With Selenium you can even test Web applications, while having no idea about programming.

I let each one test record. Here are the steps that I made:

First I typed the page address

Second I walked by clicking on the link to the

Third, I chose your article on cryptographic libraries.

The Selenium looks like this:

When you click on the button “Play entire test suite” Selenium can do it automatically for you. Here’s what happened:

And it looks like our test source code, written in HTML:

[plain]<? Xml version = "1.0" encoding = "UTF-8"?>

<! DOCTYPE html PUBLIC "- / / W3C / / DTD XHTML 1.0 Strict / / EN" "">

<html xmlns="" xml_lang="en" lang="en">

<head profile="">

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<link rel="selenium.base" href="" />

<title> New Test </ title>

</ Head>


<table border="1"> cellpadding="1" cellspacing="1"


<td <tr> rowspan="1" colspan="3"> New Test </ td> </ tr>

</ Thead> <tbody>


<td> open </ td>

<td> / </ td>

<td> </ td>

</ Tr>


<td> clickAndWait </ td>

<td> link = InfoSec Resources </ td>

<td> </ td>

</ Tr>


<td> click </ td>

<td> css = a [title = "A Review of Selected Cryptographic Libraries"]> img.attachment-archive-image.wp-post-image </ td>

<td> </ td>

</ Tr>

</ Tbody> </ table>

</ Body>

</ Html>[/plain]

Selenium is a really cool toy in experienced hands. The set of tests which it offers is huge. I do not know how it happened that the tool itself does not have any gigantic proportions, and so can perform a lot of action at the beginning. I did not think it can even be said that testing of applications using Selenium proves that simple. Selenium stores all the information as a Web Object Model.

Basic tests using Selenium in Java

I am not an advocate of Java or C # only. As in the previous article, we focused on testing using C #, now let’s go for a change in Java. Only first I will introduce the new concept, which is WebDriver. I do not mind using WebDriver with NUnit with Visual Studio or Eclipse with JUnit. WebDriver is really another tool for automated testing of web applications and to check whether they really act in accordance with our expectations.

The main objective of WebDriver is really to provide users of this API, which would have been easy for them to understand. In this way, we can make our tests very clear and very simple to maintain.

First, get our working environment to work with WebDriver. For this purpose, we need to download both the selenium-server and selenium-client. We can do this by Then create a new project in Eclipse with any name. Now you need to join the library. To do this, right click on the project, then select Properties, Java Build Path, Libraries and Add external JARs and add the selenium-java and selenium-server-standalone. The window of Libraries should look then like this:

Now we can easily begin to create the first WebDriver. On the “File” menu, select “New class” and fill it with the following wording. This class shows how to add a new comment to the selected article on InfoSec:

import org.openqa.selenium.By;

import org.openqa.selenium.WebDriver;

import org.openqa.selenium.WebElement;

import org.openqa.selenium.htmlunit.HtmlUnitDriver;

class MyExample {

void main(String[] args) {

// Create a new instance of the html unit driver

WebDriver driver = new HtmlUnitDriver();

// And now use this to visit example article

// in InfoSec Institute


WebElement element = driver.findElement(“author”));


WebElement element2 = driver.findElement(“author”));


WebElement element3 = driver.findElement(“comment”));

element2.sendKeys(“This is a webdriver tests in my article for InfoSec!”);

// Now submit the form. WebDriver will find the form for us from the element


// Check the title of the page

System.out.println(“Page title is: “ + driver.getTitle());



See for yourself what it is simple and intuitive. Now think, why, for instance, if we find a MySQL error injection, do not test for it in the form of WebDriver? Or find some XSS and again we can do code documentation using WebDriver. WebDriver also allows you to download the title, keywords, description page, as well as thousands of different things. Now you can go to the Web Object Model.

Web Object Model

Selenium tests not only allow a single Web application functionality. It also allows you to perform tests using the Web Object Model, which allows testing the use case. In the case of Eclipse, you need to do this is to install TestNG, which is a framework for developing this type of testing. In the case of Eclipse TestNG, installation looks like this:

First, start Eclipse by clicking the Eclipse icon in the Eclipse folder that’s mentioned earlier.

Second, click on Help-> Install New Softwares. Enter “” in the “Work With” and press Enter.

Third, you should see TestNG.

Fourth, select it and then press Next till you reach Finish.

Fifth, restart Eclipse.

Then proceed as in the previous paragraph for Selenium. Add Selenium and we start writing our use case. Here is mine:

  1. I want to go to
  2. I want to go to the page /
  3. Then I want to go to /cryptographic-libraries/
  4. I want to add a sample comment

This time we create a new JUnit Test Case and fill it with the following content:


import org.junit.Test;

import com.thoughtworks.selenium.*;




extends SeleneseTestNgHelper {

void testMyTest() throws Exception {“/”);“link=InfoSec Resources”);

        selenium.waitForPageToLoad(“30000”);“css=a[title=”A Review of Selected Cryptographic Libraries”] > img.attachment-archive-image.wp-post-image”);

        selenium.type(“id=comment”, “Hi, it’s a example comments use in my article for Selenium and automative web testing. It’s a simple Web Object model test.”);“id=submit”);




And so just enjoy all the benefits of a Web Object Model. This is of course not everything, and just a quick introduction. The whole Web Object Model, you can write a whole book. This is really very addictive and offers many possibilities. Look for more on the network on testing web applications using the Web Object Model. And finally, I will show how the same test looks in C #:

using System;

using System.Text;

using System.Text.RegularExpressions;

using System.Threading;

using NUnit.Framework;

using Selenium;

namespace SeleniumTests





private ISelenium selenium;

StringBuilder verificationErrors;


void SetupTest()


selenium = new DefaultSelenium(“localhost”, 4444, “*chrome”, “”);


verificationErrors = new



void TeardownTest()






catch (Exception)


// Ignore errors if unable to close the browser


Assert.AreEqual(“”, verificationErrors.ToString());



void TheMyTest()



            selenium.Click(“link=InfoSec Resources”);


            selenium.Click(“css=a[title=”A Review of Selected Cryptographic Libraries”] > img.attachment-archive-image.wp-post-image”);

            selenium.Type(“id=comment”, “Hi, it’s a example comments use in my article for Selenium and automative web testing. It’s a simple Web Object model test.”);






Note that both tests are very similar, almost look the same. This is just one of the advantages of using Selenium. It simply does not matter whether we write a test for Java and C #, both tests will look the same. I hope you have fun with writing the test.


The main purpose of this article was to show everyone how to use some tools to help you create Web application tests. Thanks to them, we have learned to do a lot better documentation to our own tests, than by the written word. Also I showed how to run selected tests and show them to the client. I bet you that after reading the documentation, there is reliable evidence that the tests were really performed, and the results are not fabricated. Thanks to being written by Selenium and remote control tools such documentation, it will be 100% reproducible for the customer. The test will be able to be fired by any employee thereof, using both Selenium, as well as any Web browser.

In addition, I want to note one more thing. A lot of companies recognize that every programmer should be able to design tests using Selenium, and knowledge of the environment is really a huge advantage. In this article, you have an excellent introduction to Selenium and I am sure it will always be useful.

This gave me the idea for the next two articles in this series. The first article will be back to the unit tests. I’ll show you a few techniques to create good unit tests that actually assist the software development process. In the second I will show, if I can, how to perform automated testing desktop applications. In the meantime, thank you for your attention and I wish you a nice day!

Posted: October 4, 2012
Adrian Stolarski
View Profile

Adrian Stolarski is a freelance security tech blogger, specializing in Java, PHP, and JQuery. In his own words, he does the hard work of training the unemployed. Currently, he handles Evaluation Visualization for real-time systems with XWT and Eclipse RAP. If he sees that something works, he asks how it works and why it works, then sets out to make it work better. A researcher for InfoSec Institute, he currently lives in Poland, but plans to move to London.