Watir Webdriver +Chromedriver: ADFS Authentication - google-chrome

I'm attempting to load a page that does a call to ADFS for authentication purposes. On the page load, there is a redirect and then popup to enter credentials.
HTTPS must be used.
Chrome must be used as the testing browser.
So, when loading the page everything is working fine, but I'm forced to manually enter credentials when running the test. After inputting the credentials everything is fine, but is there a way to leverage Watir to input this for me? I've tried popping the username:password into the link already with no success, and since I really need to use Chrome the Firefox plugins are moot.
require 'watir-webdriver'
b = Watir::Browser.new :chrome
b.goto 'https://internalUAT.clientwebsite.com/'
b.link(:text => 'HR Dashboard').click
I'm not allowed to post images due to reputation constraints, but please visit
https://i.imgur.com/ExVt8fp.png
for a screenshot.

When you try passing credentials with the https://user:pass#foo.com technique, do you have any unusual characters in the username or password? (Maybe you have a DOMAIN\username domain prefix?)
If so you might want to make sure any such characters in the credential string are properly escaped.
If that's not the problem, and there's no other way to disable the auth prompt for your tests, then your best bet (IMO) is to write a separate script (or thread) that uses RAutomation (or some other UI automation library of your choosing) to enter your credentials and click the Log In button.
See https://github.com/jarmo/RAutomation
The test cases in the following file contain examples of using RAutomation's send_keys method, which could prove useful:
https://github.com/jarmo/RAutomation/blob/master/spec/window_spec.rb
For the record, it looks like RAutomation may have been used by watir-classic for dialog handling:
https://github.com/watir/watir-classic/blob/master/lib/watir-classic/modal_dialog.rb
http://www.rubydoc.info/github/watir/watir-classic/Watir/ModalDialog

Related

Chrome: ERR_BLOCKED_BY_XSS_AUDITOR details

I'm getting this chrome flag when trying to post and then get a simple form.
The problem is that the Developer Console shows nothing about this and I cannot find the source of the problem by myself.
Is there any option for looking this at more detail?
View the piece of code triggering the error for fixing it...
The simple way for bypass this error in developing is send header to browser
Put the header before send data to browser.
In php you can send this header for bypass this error ,send header reference:
header('X-XSS-Protection:0');
In the ASP.net you can send this header and send header reference:
HttpContext.Response.AddHeader("X-XSS-Protection","0");
or
HttpContext.Current.Response.AddHeader("X-XSS-Protection","0");
In the nodejs send header, send header reference :
res.writeHead(200, {'X-XSS-Protection':0 });
// or express js
res.set('X-XSS-Protection', 0);
Chrome v58 might or might not fix your issue... It really depends to what you're actually POSTing. For example, if you're trying to POST some raw HTML/XML data whithin an input/select/textarea element, your request might still be blocked from the auditor.
In the past few days I hit this issue in two different scenarios: a WYSIWYG client-side editor and an interactive upload form featuring some kind of content preview. I managed to fix them both by base64-encoding the raw HTML before POSTing it, then decoding it on the receiving PHP page. This will most likely fix the issue and, most importantly, increase the developer's awareness level regarding the data coming from POST requests, hopefully pushing him into adopting effective data encoding/decoding strategies and strengthen their web application from XSS-type attacks.
To base64-encode your content on the client side you can either use the native btoa() function, which is supported by most browsers nowadays, or a third-party alternative such as a jQuery plugin (I ended up using this, which worked ok).
To base64-decode the POST data you can then use PHP's base64_decode(str) function, ASP.NET's Convert.FromBase64String(str) or anything else (depending on your server-side scenario).
For further info, check out this blog post that I wrote on the topic.
In this case, being a first-time contributor at the Creative forums, (some kind of vBulletin construct) and reduced to posting a PM to the moderators before forum access it is easy for one to encapsulate the nature of the issue from the more popular answers above.
The command was
http://forums.creative.com/private.php?do=insertpm&pmid=
And as described above the actual data was "raw HTML/XML data within an input/select/textarea element".
The general requirement for handling such a bug (or feature) at the user end is some kind of quick fixit tweak or twiddle. This post discusses the option of clearing cache, resetting Chrome settings, creating a new_user or retrying the operation with a new beta release.
It was also suggested that one launches a new instance with the following:
google-chrome-stable --disable-xss-auditor
The launch actually worked in this W10 1703 Chrome 061 edition after this modified version:
chrome --disable-xss-auditor
However, on logging back in to the site and attempting the post again, the same error was generated. Perhaps the syntax wants refining or something else is awry.
It then seemed reasonable to launched Edge and repost from there, which turned out to be no problem at all.
This may help in some circumstances. Modify Apache httpd.conf file and add
ResponseHeader set X-XSS-Protection 0
It may have been fixed in Version 58.0.3029.110 (64-bit).
I've noticed that if there is an apostrophe ' in the text Chrome will block it.
When I update href from javascript:void(0) to # in the page of POST request, it works.
For example:
login
Change to:
login
I solved the problem!
In my case when I make the submmit, I send the HTML to the action and in the model I had a property that accept the HTML with "AllowHTML".
The solution consist in remove this "AllowHTML" property and everything go OK!
Obviously I no longer send the HTML to the action because in my case I do not need it
It is a Chrome bug. The only remedy is to use FireFox until they fix this Chrome bug. XSS auditor trashing a page, that has worked fine for 20 years, seems to be a symptom, not a cause.

Chrome basic authentication custom message stopped working

I am using nginx proxy to server my web-page. For login user need to provide his 2 factor authentication code and his password, to let users know that they need to enter their password+2 factor code to login, I send them a message "Login required, username, password+VIP token"'
And this what I get now
This has stopped working from Chrome version 49. I am on 49.0.2623.110.
Any work around to fix this? It works perfectly on firefox.
This was indeed answered in Change Basic HTTP Authentication realm and login dialog message.
Short explanation: You were actually defining realms with auth_basic directives of Nginx on the server side. But "whether to prompt this message or not" is basically a design choice made by specific client programs. And Chrome just chose to hide it, for reasons you may find in the first link.
In fact, as of my decade (2022), Firefox seems to hide the message too.
Why I necromance this very old post: I was reading this documentation of Nginx. At the end of the article, there is a screenshot similar to the Firefox one in the OP. Unsurprisingly, my browser didn't behave like that even I followed all the instructions therein. Then I started Googling and this is the first hit relevant to my question. After I learned something about HTTP basic authentication, realm etc and finally came across the first link, I think I should post something here.
Apparently, Nginx documentation is using kinda modern UI to host kinda outdated contents. Hope this answer will help anyone who is confused by that screenshot too ;)

Unable to log into site with JMeter

I am currently learning how to use JMeter so I can test my company's website. I set up a thread group and put in a few HTTP requests that should log into the site and navigate the tabs. The problem is that it does not appear to be logging in. When I look at the response data, I see that the log in request returns the correct temporary redirect page, but every request after that simply returns the html for the initial log in page.
I have tried using a simple HTTP request that sets the username and password text boxes to account details I know work. I have also tried using a Login Config Element and an HTTP Authorization Manager, and they all get the same thing. I tried changing the redirect options as is suggested here, but it was already set to "Follow Redirects". I tried switching it back too, and that didn't work.
I don't know what to do here. Can anyone help me out?
EDIT: I am going to be away on break for the next week, so I won't be able to respond to answers. I'll be back on Dec 3rd.
In the absolute majority of cases it's connected with cookies.
Try adding HTTP Cookie Manager and see what happens.
If you want to manipulate cookies you may wish to store them to JMeter Variables. To enabled this functionality you'll need to set next property:
CookieManager.save.cookies=true
The property lives in jmeter.properties file under /bin folder of your JMeter installation.
it depends how page is reacting if the session is getting stored in cookie you need to have cookie manager. otherwise search for session_id, or token you need to extract token using regular expression extractor and pass it with login form user name and password.
i hope below video can help you little
http://www.youtube.com/watch?v=1V0E8CEabUY

Handling 'choose a digital certificate' with selenium webdriver chrome

When I open a page with selenium webdriver I get a chrome dialog box "Choose certificate". The default certificate is the right one so I only have to click OK button. But I have problem with this. I have python code:
drv = webdriver.Chrome()
drv.get("https://example.com/login")
and after that I want to do something like:
drv.switch_to_alert().accept()
or
drv.switch_to_alert().send_keys(Keys.TAB)
drv.switch_to_alert().send_keys(Keys.SPACE)
The problem is that the code stops executing on line drv.get("https://example.com/login"). Webdriver is waiting for page to load. And before that line there is no chrome dialog box.
How can I handle this?
You'll have to use something like AutoIT:
http://www.autoitscript.com/site/autoit/
Why you ask? It's an OS dialog, which Selenium does not and probably never will handle, so you'll have to turn to other solutions (in C# you should use native Win32 API methods to click the button for instance).
Certificates are managed by the OS, not the browser. Delete all but the necessary certificate from your browser's certificate store and then configure the browser to automatically select the certificate when only one certificate is present. You could also create a browser profile and have your program launch this profile or avoid testing over HTTPS.
before handling anything here, add below so it will not get frozen as soon as you navigate/triggert the certificate pop up. remeber to add the correct waittime back later.
getDriver().manage().timeouts().pageLoadTimeout(1000, TimeUnit.MILLISECONDS);
after this, then you can try using keyboard or autoIt whatever .
You can configure you Policys Group for Chrome choose your certificate.
Chrome use a registry with a json with information of your certificate. After you configure gpo,find a way to modified this json with Python.
With C# I use Microsoft.Win32.Registry to manipulates the registrys.
Follow the steps to configure you gpo:
First I need to thanks IngussNeilands for the tutorial provided on his Github. It saved me!
You can follow the steps on IngussNeilands´s tutorial here or follow my version of his tutorial below.
## Steps to Configure the Policy Groups
Download Chrome Policy Tamplates from here: http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
Extract the .zip file and find the chrome.adm that matches the country and the language settings on your Windows, following the path: policy_templates\windows\adm\<YourCountryAndLanguage>\chrome.adm
Type "run" into your Windows Search Bar or press Windows + R. Then type de command gpedit.msc to open the The Local Group Policy Editor
Now, access: 'Computer Policy>> Computer Configuration' and right-click the file 'Administrative Templates' and select 'Add or remove tamplates'
Click 'add' and navigate to the chrome.adm that you choose before on 'policy_templates\windows\adm\<YourCountryAndLanguage>\chrome.adm'. Click to open it
Now, navigate to:
'Computer Policy>> Computer Configuration>> Administrative Templates>> Classic Administrative Templates(ADM)>> Google>> Google Chrome>> Content Settings'
Then on the rigth side of the window find and double-click the option 'Automatically select client certificates for these sites'
Click the 'Enabled' option
Now, Click the 'Show...' in the option pane below
Copy and paste the 'JSON' below in the line of the column Value:
{"pattern":"https://[*.]example.com","filter":{"ISSUER":{"CN":"example.com"}, "SUBJECT":{"CN":"value"}}. This JSON needs to be rewriten with your certificate informations
How to rewrite the Chrome Configure JSON
Ok, now a will give you a brief explanation on how to rewrite the Chrome Config JSON.
In the "pattern" key the value needs to be the URL that the certificate will be sent to. In most cases this URL is the same URL of the page, but some sites don´t use the same URL base to send the certificate.
For example, when I was trying to webscraping the NFS-e in Uberlândia city I needed to debug the script of the page to find the URL to where the certificate was sent.
The "filter" key will have the certificate information. In my case, I need to access the same website with diferent certificates, for that I'll have to fill the JSON with the information of "ISSUER" and "SUBJECT". Chrome will choose one certificate that matches with the informations content in the filter key. For example, if I fill the "CN" from "ISSUER" object with "SERASA Certificadora Digital v5" I'll have more than one certificate with these informations and Chrome won´t be able to choose the right certificate.
In my git in here you can find the solution to alter the JSON for access the same site with more the one certificate.

HTML hyperlink to call exe with parameters

-Hello, looking for some help.
We currently have a winform app used to do approvals in our company. The app sends html emails to the "approvers" who read the relevant info in the email and click on a hyperlink which launches the app so they can do their approval.
Currently this is done by including the following in the email html:
<a href=file:///C:\Temp\test.exe>Click to Approve</a>
This correctly launches the app, after a couple of security warnings which we are OK with. We use Outlook 2010.
Now, in order to improve this process I would need to pass an argument identifying the approver to the app. This works correctly if I pass the argument from, say, a windows shortcut, however, I cannot find a way to pass the argument to the exe in the href attribute in order to do it from the email. I looked everywhere, and found nothing except questions.
I have tried the following to no avail:
<a href=file:///C:\Temp\test.exe approverID>Click to Approve</a>
<a href=file:///C:\Temp\test.exe 'approverID'>Click to Approve</a>
Click to Approve
Also I have tried doing it with JavaScript, which from an HTML page works fine, but not from an email in Outlook.
I thought maybe there is a security threat with this approach hence it is not possible, but if I can successfully from an email run an exe, why can I not run an exe with parameters? It doesnt make sense.
Thank you for your help.
Leo
after not getting any suitable responses and after continuing my research for this without success, I will temporarily conclude that what I am looking for is not possible. If the reasons for this not being possible concern security, then I am completely puzzled as to why running an exe without parameters is allowed and therefore considered LESS harmful than running an exe with parameters. Surely, an exe does not require parameters to be harmful. If anyone would care to elaborate on this, it would be educational for me, thank you.
Nevertheless, I have thought of an alternative to my problem, which is not as elegant as would otherwise be stating parameters in href, but it serves my purpose. Because our app is run from a network drive, I have changed it so that it creates user-specific cmd files on the network drive and the hyperlink in the email it creates points to these cmd instead of the exe. That way, the cmd files contains the call to the exe with the correct parameters and as the cmd files are very light and quickly written, this is OK.
I am closing this as "answered", but it is not.
Thanks for taking your time to read.
Leo
I recommend you take a look to "How to create a protocol and assign it an app with parameters".
Example : http://kb.mozillazine.org/Register_protocol
http://msdn.microsoft.com/en-us/library/aa767914.aspx
I have had the same problem and one alternative I have found was to create a .bat file that is attached to the e-mail that includes the command line and respective parameters, the user double-click the attachment, confirms that wants to open the file and the .bat runs. It is not as cleaner as the link but I guess It is an acceptable workaround in some cases.
Important: My OS is Win7 and e-mail client is Lotus Notes, I am not sure if this alternative works with other mail clients/OSs .