Selenium WebDriver Security Testing

Add 250+ security checks to your Selenium WebDriver automation. Detect XSS vectors, insecure cookies, and more - with the same API you already know.

Quick Start with Selenium WebDriver

1. Install QAstell

npm install qastell selenium-webdriver

2. Add Security Auditing to Your Script

const { Builder } = require('selenium-webdriver');
const { SecurityAuditor } = require('qastell');

(async () => {
  const driver = await new Builder().forBrowser('chrome').build();
  await driver.get('https://your-app.com');

  // Run 250+ security checks
  const auditor = new SecurityAuditor(driver);
  await auditor.assertNoViolations();

  await driver.quit();
})();

3. Run Your Script

node your-script.js

Complete Selenium WebDriver Example

Here's a comprehensive example showing security auditing with Selenium WebDriver:

const { Builder } = require('selenium-webdriver');
const { SecurityAuditor } = require('qastell');
const fs = require('fs');

async function runSecurityAudit() {
  const driver = await new Builder()
    .forBrowser('chrome')
    .build();

  try {
    // Navigate to your app
    await driver.get('https://your-app.com');

    // Wait for page to stabilize
    await driver.sleep(1000);

    // Run security audit
    const auditor = new SecurityAuditor(driver);
    const results = await auditor.audit();

    // Log summary
    console.log(`Security audit complete:`);
    console.log(`  Total issues: ${results.summary.total}`);
    console.log(`  Critical: ${results.summary.bySeverity.critical}`);
    console.log(`  High: ${results.summary.bySeverity.high}`);

    // Generate HTML report
    fs.writeFileSync('security-report.html', results.toHTML());

    // Fail if critical issues found
    if (results.summary.bySeverity.critical > 0) {
      process.exit(1);
    }

  } finally {
    await driver.quit();
  }
}

runSecurityAudit();

WebDriver-Specific Features

Browser Support

QAstell works with all browsers supported by Selenium WebDriver:

// Chrome
const driver = await new Builder().forBrowser('chrome').build();

// Firefox
const driver = await new Builder().forBrowser('firefox').build();

// Edge
const driver = await new Builder().forBrowser('MicrosoftEdge').build();

// Safari
const driver = await new Builder().forBrowser('safari').build();

// Same SecurityAuditor API for all browsers
const auditor = new SecurityAuditor(driver);

Multi-Page Crawling

Audit multiple pages in a single session:

async function auditSite(urls) {
  const driver = await new Builder().forBrowser('chrome').build();
  const allResults = [];

  for (const url of urls) {
    await driver.get(url);
    await driver.sleep(1000); // Wait for page to load

    const auditor = new SecurityAuditor(driver);
    const results = await auditor.audit();

    allResults.push({ url, results });
    console.log(`${url}: ${results.summary.total} issues`);
  }

  await driver.quit();
  return allResults;
}

Headless Mode

QAstell works with headless browsers:

const chrome = require('selenium-webdriver/chrome');

const options = new chrome.Options();
options.addArguments('--headless');
options.addArguments('--disable-gpu');

const driver = await new Builder()
  .forBrowser('chrome')
  .setChromeOptions(options)
  .build();

const auditor = new SecurityAuditor(driver);

Integration with Mocha/Jest Config

Set up the license globally in your test framework's setup file:

// test/setup.js (Mocha)
import { initLicense } from 'qastell';

// Initialize license once before all tests
initLicense(process.env.QASTELL_LICENSE);

For Mocha, reference it in your .mocharc.json:

// .mocharc.json
{
  "require": ["test/setup.js"],
  "timeout": 30000
}

For WebdriverIO, use the before hook in your config:

// wdio.conf.js
import { initLicense } from 'qastell';

export const config = {
  before: function() {
    initLicense(process.env.QASTELL_LICENSE);
  },
  // ... other config
};

Force Framework Detection

If you're using custom WebDriver wrappers and auto-detection fails, you can force WebDriver mode:

const auditor = new SecurityAuditor(driver, { framework: 'webdriver' });

// Verify the detected framework
console.log(auditor.getFramework()); // 'webdriver'

Limitations

Due to Selenium WebDriver's architecture, there are some limitations compared to Playwright and Puppeteer:

• No HTTP Response Headers - WebDriver cannot access HTTP response headers, so header-related rules (approximately 5 rules in the headers category) are automatically skipped.
• No Network Interception - WebDriver doesn't provide network-level access, so some advanced checks are not available.
• Page Load Timing - You may need to add explicit waits (e.g., driver.sleep()) since WebDriver doesn't have networkidle options like Playwright.

All other security checks - DOM analysis, cookie inspection, JavaScript evaluation, storage analysis, and Shadow DOM inspection - work identically across all three frameworks.

What Gets Checked

QAstell runs 250+ security checks across these categories when using Selenium WebDriver:

• Cookies - HttpOnly, Secure, SameSite flags on sensitive cookies
• Forms - CSRF tokens, autocomplete on sensitive fields, action URLs
• Links - Missing rel="noopener", javascript: URLs
• DOM Security - Inline handlers, DOM clobbering, prototype pollution
• Secrets - API keys, tokens in HTML, comments, localStorage
• Mixed Content - HTTP resources on HTTPS pages
• CSP Meta Tags - Content Security Policy in meta tags
• And 40+ more categories...

Next Steps

• CI/CD integration (recommended)
• Advanced configuration options
• Configure category filtering
• Set up severity thresholds
• Generate HTML/JSON/JUnit/SARIF reports
• View pricing plans